http://www.ISAserver.org ------------------------------------------------------- That sounds like a "bad habit" <rimshot> ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of John T (Lists) Sent: Friday, June 02, 2006 15:29 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Spykids defacement http://www.ISAserver.org ------------------------------------------------------- Nice wooden ruler across the back of their hands while they are typing works wonders. John T eServices For You "Seek, and ye shall find!" > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of > Jim Harrison > Sent: Friday, June 02, 2006 2:34 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Spykids defacement > > http://www.ISAserver.org > ------------------------------------------------------- > > Don't forget the user adjustment tool. > My favorite is an aluminum softball bat. > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of > Crockett, Gregory > Sent: Friday, June 02, 2006 14:21 > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Spykids defacement > > True. More threats from within. > > > > So, I will use both: URLScan on the web server and HTTP Filtering at > the gate. > > > > Thanx > > > > greg > > > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of > John T (Lists) > Sent: Friday, June 02, 2006 2:48 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Spykids defacement > > > > Yes, but just because the front door of the building has a security > guard standing > there checking everything and everyone out next you do not assume some > one in the > building is free to do what ever they please. > > > > John T > > eServices For You > > > > "Seek, and ye shall find!" > > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of > Crockett, Gregory > Sent: Friday, June 02, 2006 10:57 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Spykids defacement > > > > Doesn't ISA block the same HTTP request as Urlscan? > > > > greg > > > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of > John T (Lists) > Sent: Friday, June 02, 2006 12:27 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Spykids defacement > > > > Sounds like some one's web server is not properly configured and patched. Ever hear > of URLScan and IIS Lockdown? > > > > John T > > eServices For You > > > > "Seek, and ye shall find!" > > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of > Crockett, Gregory > Sent: Friday, June 02, 2006 8:06 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Spykids defacement > > > > One of our web sites, www.servicesatrandolph.com > <http://www.servicesatrandolph.com/> was defaced by Spykids. The defacement > consisted of: > > > > spykids spykids spykids spykids spykids spykids spykids spykids > spykids spykids > spykids spykids spykids spykids spykids spykids spykids spykids > spykid\n\ > > > > According to the ISA WebProxy, the Client Agent used was: Microsoft > Data Access > Internet Publishing Provider DAV 1.1, with the Operation "PUT". > > > > They changed the default.* file. > > > > Since, I turned on HTTP Filter to block the PUT Method. Will this > stop the above > intrusion? > > > > Is there anything else I can do to block this intrusion? > > > > Speaking of the proxy log - what's up with the ClientIP field? Should > I have a decoder > ring to crack the IP address? > > > > The IIS log revealed the ip address originated in Argentina. > > > > TIA > > > > greg > > All mail to and from this domain is scrutinized by the Scrutinizer. > > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx