Re: Question about logs
- From: "Greg Foulks" <greg.foulks@xxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 25 Feb 2002 16:10:28 -0500
Jim,
I'm not sure I understand... Don't allow "www" requests to pass?
I have a destination setup as follows
Destination Set (NFTI)
nfti.com
www.nfti.com
Then I published the site specifying the Destination above
Redirecting to it's internal ip address
I'm sending the original host header information
Left the rest set to it's defaults.
q2- are you saying I should publish the server? Then I can get all of the
original website details logged to my w3svc logfiles. Then
when I run Webtrends it will show who visited our website?
Thanks,
Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, February 25, 2002 3:32 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Question about logs
http://www.ISAserver.org
Q1 - the entries starting at 2002-02-25 03:03:14 are all Nimda requests
that ISA allowed in. You should check out your WPR Dest Sets to ensure that
you don't allow "www" requests to pass. The "WEB...log" will be of great
assistance to you while you play with them. Any "all destinations" WPR is
suspect from the start.
Q2 - only by server-publishing, since proxying any request loses the
original client IP.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: "Greg Foulks" <greg.foulks@xxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, February 25, 2002 10:48
Subject: [isalist] Question about logs
http://www.ISAserver.org
Sorry about this but it seems that the discussion board is down.
I am looking through my W3SVC logs and noticed the following....
#Date: 2002-02-25 02:45:13
#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem
cs-uri-query sc-status cs(User-Agent)
2002-02-25 02:45:13 10.0.0.1 - 10.0.0.32 80 GET /robots.txt - 404
Mozilla/3.0+(Slurp/si;+slurp@xxxxxxxxxxx;+http://www.inktomi.com/slurp.html)
2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /scripts/root.exe /c+dir
404 -
2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /MSADC/root.exe /c+dir 403 -
2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /c/winnt/system32/cmd.exe
/c+dir 404 -
2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET /d/winnt/system32/cmd.exe
/c+dir 404 -
2002-02-25 03:03:14 10.0.0.1 - 10.0.0.32 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -
2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 -
2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET
/msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../winnt/system32/cmd.exe
/c+dir
403 -
2002-02-25 03:03:15 10.0.0.1 - 10.0.0.32 80 GET
/scripts/..Á�../winnt/system32/cmd.exe /c+dir 500 -
10.0.0.1 is my ISA server and 10.0.0.32 is one of my webservers. Does this
mean that my webserver is infected with the Nimda virus
or that someone from outside infected with the Nimda and it's trying to
attach to my webserver?
1) What can I do to block these requests from in ISA?
2) Is it possible to pass the user data onto the Webserver? It seems that
anyone who tries to access my website from the outside is
logged as if the request is coming from my ISA server.
BTW- My websites are published in the ISA server.
Thanks,
Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg.foulks@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
