Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Cisco Security Agent events

I'm getting the below errors in the Cisco Security Agent logs. I'm not sure if this is the result of a break-in attempt or a scan by the organization here. Anyone seen these before or can decipher?

11/27/2006 3:59:00 PM: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data '/<Rejected-By-UrlScan>?~/scripts/..%c1%8s../winnt/system32/cmd.exe'. The operation was denied.

11/27/2006 3:59:00 PM: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data '/<Rejected-By-UrlScan>?~/scripts/..%c0%qf../winnt/system32/cmd.exe'. The operation was denied.

11/27/2006 3:59:00 PM: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data '/<Rejected-By-UrlScan>?~/scripts/..%c0%9v../winnt/system32/cmd.exe'. The operation was denied.

11/27/2006 3:59:00 PM: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data '/<Rejected-By-UrlScan>?~/scripts/..%c1%1c../winnt/system32/cmd.exe'. The operation was denied.

11/27/2006 3:59:00 PM: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data '/<Rejected-By-UrlScan>?~/scripts/..%255c../winnt/system32/cmd.exe'. The operation was denied.

11/27/2006 3:59:00 PM: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data '/<Rejected-By-UrlScan>?~/scripts/iisadmin/bdir.htr'. The operation was denied.

11/27/2006 3:59:00 PM: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data '/PDG_Cart/shopper.conf'. The operation was denied.

11/27/2006 3:59:00 PM: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data '/_vti_pvt/authors.pwd'. The operation was denied.

11/27/2006 3:59:00 PM: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data '/./.././.././.././winnt/win.ini'. The operation was denied.

11/27/2006 3:59:00 PM: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data '/./.././.././.././windows/win.ini'. The operation was denied.

11/27/2006 3:59:00 PM: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) attempted to receive the data '/<Rejected-By-UrlScan>?~/scripts/iisadmin/bdir.htr'. The operation was denied.

4 REPLIES

Re: Cisco Security Agent events

On which plataform are you running the CSA? Unity, CCM, etc?

Re: Cisco Security Agent events

There are some bugs from CSA with Unity, when you search a user with some characters like [ CSA block the search, etc.

I recommend you to upgrade the CSA to the latest version.

Community Member

Re: Cisco Security Agent events

These errors are seen on three CallManager servers, though, not on the Unity servers. Each of two Subscribers and the Publisher are seeing similar log events.

Community Member

Re: Cisco Security Agent events

These are three Cisco MCS 7835 CallManager servers running 4.1(3)

218
Views
0
Helpful
4
Replies
CreatePlease to create content