Re: Code Red/Nimda
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 10 Apr 2002 06:51:53 -0700
It would appear that you've either:
1. used packet filters or server publishing to publish that site
2. used an "any request" destination in a web publishing rule
3. used an IP address in the destination set for the web publishing rule
4. turned off packet filtering
..the list goes on.
All web sites should be web-published and specific destinations defined for
each.
This will allow the ISA Web Proxy service to act as a URL filter for you and
block this stuff by default.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: "Sushil Bhalla" <sushilb@xxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, April 10, 2002 3:09 AM
Subject: [isalist] Code Red/Nimda
http://www.ISAserver.org
Hello All,
I have SBS2000 (W2K with SP2, E2K with SP1, ISA2K, IIS) all installed on
one server.
I am getting a lot of following entries in my IIS logs from different IPs:
2002-04-09 21:20:36 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/scripts/root.exe /c+dir 404 3 3396 72 62 HTTP/1.0 www - - -
2002-04-09 21:20:42 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/MSADC/root.exe /c+dir 404 3 3396 70 0 HTTP/1.0 www - - -
2002-04-09 21:20:43 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 3 3396 80 15 HTTP/1.0 www - - -
2002-04-09 21:20:45 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/d/winnt/system32/cmd.exe /c+dir 404 3 3396 80 0 HTTP/1.0 www - - -
2002-04-09 21:20:47 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 96 0 HTTP/1.0
www - - -
2002-04-09 21:20:49 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396
117 0 HTTP/1.0 www - - -
2002-04-09 21:20:50 203.253.28.53 - W3SVC3 SERVER xxx.xxx.xxx.xxx 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396
117 0 HTTP/1.0 www - - -
I know 404 IS GOOD SIGN for me. But what can I do to prevent even logging
of these entries. What Service Packs or patches are needed and where can I
get these.
Thanks in advance for all your help.
Sushil Bhalla
Imageware International
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
