Re: Need help with filtering bogus webrequests through ISA

• From: "Mark Strangways" <strangconst@xxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sat, 2 Mar 2002 13:49:02 -0500

For that I believe you need to publish thru web publishing, unfortunately.
I suppose as long as your all Patched up with the latest hole fixes from MS,
you should be ok.
It would be nice to have ISA block them though.

Mark
----- Original Message -----
From: "Greg Foulks" <greg.foulks@xxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, March 02, 2002 1:43 PM
Subject: [isalist] Re: Need help with filtering bogus webrequests through
ISA


http://www.ISAserver.org



It is server published. Yeh I see it's blocking them on the
webserver which is great and I'm not to worried about it at the
moment. I would rather the request never made it to the webserver!

greg


---------- Original Message ----------------------------------
From: "Mark Strangways" <strangconst@xxxxxxxxxx>
Reply-To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Sat, 2 Mar 2002 13:27:17 -0500

>http://www.ISAserver.org
>
>
>Those aren't good log's
>They look allot like Nimbda and code red, this maybe a variant.
>The good news is that your webserver is blocking them, but isa
doesn't look
>like it is.
>Is your server web published or server published ??
>
>Hope Jim will look into these as well :) He's the guru on this
stuff :)
>
>Regards,
>
>Mark S
>----- Original Message -----
>From: "Greg Foulks" <greg.foulks@xxxxxxxx>
>To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>Sent: Saturday, March 02, 2002 1:21 PM
>Subject: [isalist] Need help with filtering bogus webrequests
through ISA
>
>
>http://www.ISAserver.org
>
>
>
>Can anyone give me some pointers that would help to eliminate
>these bogus webrequests that are reaching my webservers running
>behind an ISA server?
>
>2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /scripts/root.exe /c+dir 404 2 3396 72 31 HTTP/1.0 www - - -
>2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /MSADC/root.exe /c+dir 403 5 3439 70 15 HTTP/1.0 www - - -
>2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /c/winnt/system32/cmd.exe /c+dir 404 3 3396 80 31 HTTP/1.0
>www - - -
>2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /d/winnt/system32/cmd.exe /c+dir 404 3 3396 80 32 HTTP/1.0
>www - - -
>2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 96 0
>HTTP/1.0 www - - -
>2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /_vti_bin/..%5c../..%5c../..%
>5c../winnt/system32/cmd.exe /c+dir 404 3 3396 117 32 HTTP/1.0
www -
> - -
>2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /_mem_bin/..%5c../..%5c../..%
>5c../winnt/system32/cmd.exe /c+dir 404 3 3396 117 31 HTTP/1.0
www -
> - -
>2002-03-02 05:27:13 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /msadc/..%5c../..%5c../..%
>5c/..Á../..Á../..Á../winnt/system32/cmd.exe /c+dir 403 5 3439
>145 15 HTTP/1.0 www - - -
>2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 500 123 0 97 15
>HTTP/1.0 www - - -
>2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /scripts/winnt/system32/cmd.exe /c+dir 404 3 3396 97 31
>HTTP/1.0 www - - -
>2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /winnt/system32/cmd.exe /c+dir 404 3 3396 97 31 HTTP/1.0 www -
> - -
>2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /winnt/system32/cmd.exe /c+dir 404 3 3396 97 32 HTTP/1.0 www -
> - -
>2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 98 0
>HTTP/1.0 www - - -
>2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 96 0
>HTTP/1.0 www - - -
>2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 100 0
>HTTP/1.0 www - - -
>2002-03-02 05:27:14 12.32.246.60 - W3SVC1 WEBKEEPER 10.0.0.32 80
>GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 87 0 96 0
>HTTP/1.0 www - - -
>
>Thanks,
>Greg
>
>________________________________________________________________
>Sent via the NewFound Technologies, Inc. - WebMail system at
>mail.nfti.com
>
>
>
>
>
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion
List as:
>strangconst@xxxxxxxxxx
>To unsubscribe send a blank email to leave-isalist-
373102A@xxxxxxxxxxxxx
>
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion
List as: greg.foulks@xxxxxxxx
>To unsubscribe send a blank email to leave-isalist-
373102A@xxxxxxxxxxxxx
>


________________________________________________________________
Sent via the NewFound Technologies, Inc. - WebMail system at
mail.nfti.com






------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
strangconst@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Re: Need help with filtering bogus webrequests through ISA
• » Re: Need help with filtering bogus webrequests through ISA
• » Re: Need help with filtering bogus webrequests through ISA

1. Home
2. isalist
3. Archive
4. 03-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---