RE: Block these entries inISA logs please!!!!!!
- From: "Sandro Gauci" <sandro@xxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 12 Mar 2002 11:59:59 +0100
Hi Vinay,
that looks like an attempt by Nimda worm or maybe some attacker. This
worm infects
other hosts by making use of the UNICODE attack.
Make sure your IIS servers are protected against this and other attacks.
Check out the microsoft security page regarding this.
http://www.microsoft.com/technet/prodtechnol/isa/deploy/isanimda.asp
Regards
------------------------------------------------------------
Sandro Gauci - Security Engineer - GFI - http://www.gfi.com
------------------------------------------------------------
-----Original Message-----
From: Vinaykumar G [mailto:G.Vinay@xxxxxxxxx]
Sent: Tuesday, March 12, 2002 11:16 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Block these entries inISA logs please!!!!!!
Importance: High
http://www.ISAserver.org
Hi All,
Can anyone let me know as how we can block these strange
entries in
my ISA Log. What is someone exactly trying to execute?
What should be done to block these entries?I have ISA in integrated mode
with win2k server fully patched.
xxx.xxx.xxx.xxx anonymous - N 2002-03-10 06:55:16
W3ReverseProxy ISAICR - - - - - -
97
- TCP GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
401 - 12202 0 Default rule -
xxx.xxx.xxx.xxx anonymous - N 2002-03-10 06:55:18
W3ReverseProxy ISAICR - - - - - -
97
- TCP GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
401 - 12202 0 Default rule -
xxx.xxx.xxx.xxx anonymous - N 2002-03-10 06:55:19
W3ReverseProxy ISAICR - - - - - -
98
- TCP GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
401 - 12202 0 Default rule -
xxx.xxx.xxx.xxx anonymous - N 2002-03-10 06:55:21
W3ReverseProxy ISAICR - - - - - -
96
- TCP GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
401 - 12202 0 Default rule -
xxx.xxx.xxx.xxx anonymous - N 2002-03-10 06:55:23
W3ReverseProxy ISAICR - - - - - -
100
- TCP GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
401 - 12202 0 Default rule -
xxx.xxx.xxx.xxx anonymous - N 2002-03-10 06:55:25
W3ReverseProxy ISAICR - - - - - -
96
- TCP GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
- 12202 0 Default rule -
xxx.xxx.xxx.xxx anonymous - N 2002-03-10 12:47:07
W3ReverseProxy ISAICR - - - - - -
72
- TCP GET /scripts/root.exe?/c+dir - -
12202 0 Default rule -
xxx.xxx.xxx.xxx anonymous - N 2002-03-10 12:47:09
W3ReverseProxy ISAICR - - - - - -
70
- TCP GET /MSADC/root.exe?/c+dir - - 12202
0
Default rule -
Regards,
Vinay.
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
sandro@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
****************************************************************
This mail was content checked for malicious code or viruses
by Mail security. Mail security provides email content checking,
exploit detection and anti-virus for Exchange. Spam, viruses,
dangerous attachments & offensive content are removed
automatically. Key features include: Multiple virus engines;
Email content & attachment checking; Exploit shield ? Email
intrusion detection & defence; Email threats engine ? Analyses
& defuses HTML scripts, .exe files & more.
***************************************************************
In addition to Mail essentials, GFI also produces the FAXmaker
fax server & LANguard network security product range. For more
information on our products please visit <http://www.gfi.com>
Other related posts:
