RE: Interesting Log entry
- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 19 Jul 2001 16:07:01 -0500
Those IP addresses are making inbound HTTP requests. However, they are
requesting resources that are not available to them since there is no
site and content rule that allows access by IP address, and I don't run
IIS on the ISA Server itself (you never should, IMHO).
But those are other people's infected servers.
HTH,
Tom
www.isaserver.org/shinder
-----Original Message-----
From: Andrews, Bryan (COX-Atlanta) [mailto:Bryan.Andrews@xxxxxxx]
Sent: Thursday, July 19, 2001 4:03 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Interesting Log entry
http://www.ISAserver.org
Those are not your servers?
-----Original Message-----
From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, July 19, 2001 4:25 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Interesting Log entry
http://www.ISAserver.org
Hi Gabriel,
Yes! Here's some more interesting stuff:
12.64.69.119 anonymous - N 7/19/2001
10:24:30 W3ReverseProxy MIDAS - www.worm.com
199.8.153.120 anonymous - N 7/19/2001
13:10:26 W3ReverseProxy MIDAS - www.worm.com
200.171.14.51 anonymous - N 7/19/2001
11:23:42 W3ReverseProxy MIDAS - www.worm.com
202.101.167.244 anonymous - N 7/19/2001
12:19:36 W3ReverseProxy MIDAS - www.worm.com
204.112.136.51 anonymous - N 7/19/2001
14:53:54 W3ReverseProxy MIDAS - www.worm.com
205.147.225.235 anonymous - N 7/19/2001
13:28:28 W3ReverseProxy MIDAS - www.worm.com
207.12.237.7 anonymous - N 7/19/2001
12:07:45 W3ReverseProxy MIDAS - www.worm.com
209.158.17.60 anonymous - N 7/19/2001
13:30:25 W3ReverseProxy MIDAS - www.worm.com
211.63.30.196 anonymous - N 7/19/2001
13:29:43 W3ReverseProxy MIDAS - www.worm.com
216.109.149.170 anonymous - N 7/19/2001
14:27:06 W3ReverseProxy MIDAS - www.worm.com
216.183.19.198 anonymous - N 7/19/2001
14:42:40 W3ReverseProxy MIDAS - www.worm.com
216.191.235.46 anonymous - N 7/19/2001
11:23:31 W3ReverseProxy MIDAS - www.worm.com
216.221.206.195 anonymous - N 7/19/2001
14:35:17 W3ReverseProxy MIDAS - www.worm.com
216.233.80.70 anonymous - N 7/19/2001
10:24:30 W3ReverseProxy MIDAS - www.worm.com
24.246.144.186 anonymous - N 7/19/2001
14:48:39 W3ReverseProxy MIDAS - www.worm.com
61.128.225.67 anonymous - N 7/19/2001
15:14:25 W3ReverseProxy MIDAS - www.worm.com
63.109.209.102 anonymous - N 7/19/2001
13:00:45 W3ReverseProxy MIDAS - www.worm.com
63.68.6.73 anonymous - N 7/19/2001
14:24:34 W3ReverseProxy MIDAS - www.worm.com
<http://www.worm.com>
These apparently are compromised servers.
What fun :-\
Tom
-----Original Message-----
From: Gabriel Zabal [mailto:gabriel@xxxxxxxxxxx]
Sent: Thursday, July 19, 2001 3:16 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Interesting Log entry
http://www.ISAserver.org
Yea, it seems that someone tried on your server the MS01-033
Bug.
Gabriel
-----Mensaje original-----
De: TRIEU, KENNY [mailto:KTRIEU@xxxxxxxxxxxxxxxx]
Enviado el: Jueves, 19 de Julio de 2001 05:11 p.m.
Para: [ISAserver.org Discussion List]
Asunto: [isalist] RE: Interesting Log entry
http://www.ISAserver.org
I think it's related to the IIS server attack that
happen in the last few days. Check the following link for more
information
http://www.zdnet.com/zdnn/stories/news/0,4586,5094345,00.html
-----Original Message-----
From: Thomas W. Shinder [
mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, July 19, 2001 1:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Interesting Log entry
http://www.ISAserver.org
Anyone see a log entry like this recently in their web
proxy log?
204.112.136.51, anonymous, -, N, 7/19/2001, 14:53:54,
W3ReverseProxy,
MIDAS, -, www.worm.[inserted so you don't hurt
yourself]com, -, 0, 360,
4039, 0, -, TCP, GET, http://www.worm.com[inserted so
you don't hurt
yourself]/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b
%u53ff%u0078%u0000%u00=a, -, -, 12202, 0x0, Default
rule, -
-----Original Message-----
From: Thomas W. Shinder
Sent: Thursday, July 19, 2001 2:05 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: isalist
http://www.ISAserver.org
Hey Everyone,
Stephen is the engine that makes the entire
Isaserver.org organizaton
run. He's the guy that does the stuff behind the scenes,
and without his
leadership, we all wouldn't have the great resources we
have in
www.isaserver.org!
Three cheers for Stephen!
HTH,
:-)
Tom
www.isaserver.org/shinder
Thomas W Shinder, M.D., MCSE, MCT
-----Original Message-----
From: David Dellanno [ mailto:david@xxxxxxxxxx]
Sent: Thursday, July 19, 2001 1:39 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] isalist
-A Jedi's life (Network Admin's life)
...it will be a hard life..one without reward...without
remorse....without regret. A path will be place before
you... the
choose is yours alone...do what your think you cannot
do. It will be a
hard life...but you will find out who... you really
are.....
"Qui-Gon Jinn"
Keep up the good work Steve!
David V. Dellanno
msdemo.net
(Cel.) 678.778.7220
(Res.) 770.736.8794
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank
email to
$subst('Email.Unsub')
To customise your settings for the list, kindly visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: ktrieu@xxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
To customise your settings for the list, kindly visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: gabriel@xxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
To customise your settings for the list, kindly visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
To customise your settings for the list, kindly visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bryan.andrews@xxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
To customise your settings for the list, kindly visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
To customise your settings for the list, kindly visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Other related posts:
