Question about logs
- From: "Greg Foulks" <greg.foulks@xxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 25 Feb 2002 13:48:50 -0500
Sorry about this but it seems that the discussion board is down.
I am looking through my W3SVC logs and noticed the following....
#Date: 2002-02-25 02:45:13
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem
cs-uri-query sc-status cs(User-Agent)
2002-02-25 02:45:13 10.0.0.1 - 10.0.0.32 80 GET /robots.txt - 404
Mozilla/3.0+(Slurp/si;+slurp@xxxxxxxxxxx;+http://www.inktomi.com/slurp.html)
2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /scripts/root.exe /c+dir 404 -
2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /MSADC/root.exe /c+dir 403 -
2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /c/winnt/system32/cmd.exe
/c+dir 404 -
2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /d/winnt/system32/cmd.exe
/c+dir 404 -
2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET
/msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../winnt/system32/cmd.exe /c+dir
403 -
2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET
/scripts/..Á�../winnt/system32/cmd.exe /c+dir 500 -
10.0.0.1 is my ISA server and 10.0.0.32 is one of my webservers. Does this mean
that my webserver is infected with the Nimda virus
or that someone from outside infected with the Nimda and it's trying to attach
to my webserver?
1) What can I do to block these requests from in ISA?
2) Is it possible to pass the user data onto the Webserver? It seems that
anyone who tries to access my website from the outside is
logged as if the request is coming from my ISA server.
BTW- My websites are published in the ISA server.
Thanks,
Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005
Other related posts:
