Strange Log Entries - Possibly Code Red?

[lifegard2]

I'm starting to see some odd entries in my IIS logs. Here are a few:

GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500

GET /msadc/..Á../..Á../..Á../winnt/system32/cmd.exe 404

202.172.42.226 - GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 - - -

Now, I know the 404 is good, not found. However, what is the 500 for cmd.exe? We were hit with Nimda (I think it was Nimda) about a year and a half ago. Since then I have rebuilt the server and reformat/reinstalled the OS (NT4).

Also, the default.ida showing status 200, my guess is that's not good. Any ideas, tips, or hints?

 

[lifegard2]

Oh, also seeing:

09:40:14 61.178.24.171 GET /_vti_inf.html 200
09:40:16 61.178.24.171 POST /_vti_bin/_vti_aut/author.dll 200

In the logs. Not sure what they are being able to post, but it is enough to make me nervous. From what I can tell this entry occurs when you have IE and FPSE/OSE installed. It's the method the client uses to save changes to an Office document. Only trouble is, there is no office document being opened before this entry is seen.

 

[vgrice]

Check out

http://www.securityspace.com/smysecure/w32_nmda_amm.html

Vince Grice
vgrice@hotmail.com
MCSE Win2K, NT; MCSA; MCP+I

I not only use all the brains I have, but all I can borrow.
- Woodrow Wilson