We got three requests for /_vti_bin/owssvr.dll a short time before our server had some serious issues. We were getting database connection errors and our SSL functionality was hosed. These requests were made by two different IPs. there is one similar request at the bottom from an earlier date. Some actions today also deleted all our request logs prior to: 05/12/2007:20:55:17 -0800
However I have some backup logs.
Not sure if the two are linked by here is more information so far related to this hack:
A few different requests were made, first from 184.108.40.206 and then from 220.127.116.11
session created: Wed Dec 05 15:15:48 PST 2007Accept: */*
AcceptEncoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)
Could be this person at Valley Medical Center doesn't know their machine is hacked...or an accident by some IT person but I doubt it based on the consistency at which this appears in our logs.
OrgName: Valley Medical Center
Address: 400 S 43rd Street
NetRange: 18.104.22.168 - 22.214.171.124
Second set of requests for this particular file were from:
session created: Wed Dec 05 15:04:58 PST 2007Accept: */*
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Boeing Kit; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
I also had a related but not exactly the same request from New Zeland IP 126.96.36.199
Could this be the same guy who was just stopped by the BotRoast program?