Re: Code Red/Nimda
- From: "Jay" <jschwarzkopf@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 10 Apr 2002 12:42:02 -0400
Sushil,
URLScan will prevent logging of these.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/tools/urlscan.asp
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, April 10, 2002 9:51 AM
Subject: [isalist] Re: Code Red/Nimda
> http://www.ISAserver.org
>
>
> It would appear that you've either:
> 1. used packet filters or server publishing to publish that site
> 2. used an "any request" destination in a web publishing rule
> 3. used an IP address in the destination set for the web publishing rule
> 4. turned off packet filtering
> ..the list goes on.
>
> All web sites should be web-published and specific destinations defined
for
> each.
> This will allow the ISA Web Proxy service to act as a URL filter for you
and
> block this stuff by default.
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/authors/harrison/
> Read the books!
> ----- Original Message -----
> From: "Sushil Bhalla" <sushilb@xxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, April 10, 2002 3:09 AM
> Subject: [isalist] Code Red/Nimda
>
>
> http://www.ISAserver.org
>
>
> Hello All,
>
> I have SBS2000 (W2K with SP2, E2K with SP1, ISA2K, IIS) all installed on
> one server.
>
> I am getting a lot of following entries in my IIS logs from different IPs:
>
> 2002-04-09 21:20:36 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
> /scripts/root.exe /c+dir 404 3 3396 72 62 HTTP/1.0 www - - -
> 2002-04-09 21:20:42 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
> /MSADC/root.exe /c+dir 404 3 3396 70 0 HTTP/1.0 www - - -
> 2002-04-09 21:20:43 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
> /c/winnt/system32/cmd.exe /c+dir 404 3 3396 80 15 HTTP/1.0 www - - -
> 2002-04-09 21:20:45 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
> /d/winnt/system32/cmd.exe /c+dir 404 3 3396 80 0 HTTP/1.0 www - - -
> 2002-04-09 21:20:47 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
> /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 96 0 HTTP/1.0
> www - - -
> 2002-04-09 21:20:49 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396
> 117 0 HTTP/1.0 www - - -
> 2002-04-09 21:20:50 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
> /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396
> 117 0 HTTP/1.0 www - - -
>
>
> I know 404 IS GOOD SIGN for me. But what can I do to prevent even logging
> of these entries. What Service Packs or patches are needed and where can I
> get these.
>
> Thanks in advance for all your help.
>
> Sushil Bhalla
> Imageware International
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jschwarzkopf@xxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
