I leave them in the logs. Every time someone starts complaining about $$$ spent on security, I show them the logs. Jon Johnston Creative Business Solutions IBM, Lotus, Microsoft Consultants http://www.cbsol.com 952-544-1108 "Greg Foulks" <greg.foulks@nfti To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> .com> cc: Subject: [isalist] RE: !!!!URGENT - SCARY website LOGS!!!! 03/27/2002 06:09 AM Please respond to "[ISAserver.org Discussion List]" http://www.ISAserver.org These machines are infected with the CodeRed virus are are looking for other machines to infect. What you are seeing in your logs show that your server is patched and is not allowing a connection to any of the requests. If your like me? I couldn't stand see these entries in my logs so I took the following action. 1) Installed URLScan on all of my Webservers. (URL may wrap) http://www.microsoft.com/technet/treeview/default.asp? url=/technet/security/tools/URLscan.asp Out of the box it will stop these requests before they even get to your website. You might want to tweak it a bit however it is not required. 2) I've been keeping a list of each machine and sendin emails to the Host Admins letting them know they have an infected machine. Showing them the logs URLScan writes. Lastly I've created a Client Set of these machines that are trying to infect my webservers and setup a Deny Protocol and applied those IP's to the Deny Protocol. Now they no longer have access to my network. Hope this helps? Greg ---------- Original Message ---------------------------------- From: "Mark Hippenstiel" <mark@xxxxxxxxxxxx> Reply-To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Date: Wed, 27 Mar 2002 09:48:20 +0100 >http://www.ISAserver.org > > >Hello Sushil, > >I do think that someone is trying to exploit well known security holes in >IIS. I am getting these every now and then and am not too worried about >them, since the requests are being logged with a 404. You will find >corresponding information in the MS security bulletins if I'm not completely >mistaken. > >I remember having seen the issue explained somewhere, but wasn't able to >find it on the MS site, sorry. > >Mark > >> -----Original Message----- >> From: Sushil Bhalla [mailto:sushilb@xxxxxxxxxxxxxxxxx] >> Sent: Wednesday, March 27, 2002 8:09 AM >> To: [ISAserver.org Discussion List] >> Subject: [isalist] RE: !!!!URGENT - SCARY website LOGS!!!! >> >> >> http://www.ISAserver.org >> >> >> Thanks very much Joseph for your comments. >> >> Actually, I would like to have W2K, E2K, ISA, ISM all on seperate servers >> but I have SBS which limits me to one server only. If there is a way >> around this problem, please let me know. I will be very much interested in >> having all the processes on seperate servers. >> >> Regards, >> >> Sushil Bhalla >> >> >> > It is not always a good idea to keep ISA on the same machine with all >> > the other applications that you mentioned. =20 >> > The 404 error code says that your ok meaning url not found. >> > >> > Joseph >> > >> > -----Original Message----- >> > From: Sushil Bhalla [mailto:sushilb@xxxxxxxxxxxxxxxxx]=20 >> > Sent: Tuesday, March 26, 2002 10:07 PM >> > To: [ISAserver.org Discussion List] >> > Subject: [isalist] !!!!URGENT - SCARY website LOGS!!!! >> > >> > http://www.ISAserver.org >> > >> > >> > Hello All, >> > >> > I have W2K, E2K, ISA2K, ISM all installed on one server. >> > >> > Recently I have allowed inbound HTTPServer Inbound (port 80) connection >> > (through ISA PACKET FILTERING) to allow my website to be viewed and >> > after >> > going though my website logs, I got very worried. >> > >> > Following is what I am getting my logs every few hours.=20 >> > >> > Can someone tell me URGENTALLY what kind of request are these? Should I >> > be >> > worried? What can I do to prevent these? >> > >> > Thanks in advance for any help. >> > >> > Sushil Bhalla >> > >> > #Date: 2002-03-27 00:19:03 >> > #Fields: date time c-ip cs-username s-sitename s-computername s-ip >> > s-port >> > cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes >> > cs-bytes time-taken cs-version cs-host cs(User-Agent) cs (Cookie) >> > cs(Referer) >> > 2002-03-27 00:19:03 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80 GET >> > /scripts/root.exe /c+dir 404 3 3396 72 15 HTTP/1.0 www - - - >> > 2002-03-27 00:19:04 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80 GET >> > /MSADC/root.exe /c+dir 404 3 3396 70 0 HTTP/1.0 www - - - >> > 2002-03-27 00:19:09 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80 GET >> > /c/winnt/system32/cmd.exe /c+dir 404 3 3396 80 0 HTTP/1.0 www - - - >> > 2002-03-27 00:19:10 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80 GET >> > /d/winnt/system32/cmd.exe /c+dir 404 3 3396 80 16 HTTP/1.0 www - - - >> > 2002-03-27 00:19:11 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80 GET >> > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 96 16 HTTP/1.0 >> > www - - - >> > 2002-03-27 00:19:14 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80 GET >> > /_vti_bin/..%5c../..%5c../..% 5c../winnt/system32/cmd.exe /c+dir 404 3 >> > 3396 >> > 117 0 HTTP/1.0 www - - - >> > 2002-03-27 00:19:19 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80 GET >> > /_mem_bin/..%5c../..%5c../..% 5c../winnt/system32/cmd.exe /c+dir 404 3 >> > 3396 >> > 117 0 HTTP/1.0 www - - - >> > 2002-03-27 00:19:20 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80 GET >> > >> /msadc/..%5c../..%5c../..% 5c/..=C1=1C../..=C1=1C../..=C1=1C../winnt/syste= >> > m32/cmd.exe >> > /c+dir 404 3 3396 145 0 HTTP/1.0 www - - - >> > 2002-03-27 00:19:22 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80 GET >> > /scripts/..=C1=1C../winnt/system32/cmd.exe /c+dir 404 3 3396 97 0 = >> > HTTP/1.0 >> > www >> > - - - >> > 2002-03-27 00:19:23 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80 GET >> > /scripts/winnt/system32/cmd.exe /c+dir 404 3 3396 97 15 HTTP/1.0 www - - >> > - >> > 2002-03-27 00:19:25 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80 GET >> > /winnt/system32/cmd.exe /c+dir 404 3 3396 97 0 HTTP/1.0 www - - - >> > 2002-03-27 00:19:27 203.200.51.30 - W3SVC3 SERVER mye.xte.rna.lip 80 GET >> > /winnt/system32/cmd.exe /c+dir 404 3 3396 97 16 HTTP/1.0 www - - - >> > >> > ------------------------------------------------------ >> > You are currently subscribed to this ISAserver.org Discussion List as: >> > cismic@xxxxxxx >> > To unsubscribe send a blank email to leave-isalist- 373102A@xxxxxxxxxxxxx >> >> ------------------------------------------------------ >> You are currently subscribed to this ISAserver.org Discussion >> List as: mark@xxxxxxxxxxxx >> To unsubscribe send a blank email to leave-isalist- 373102A@xxxxxxxxxxxxx >> > > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: greg.foulks@xxxxxxxx >To unsubscribe send a blank email to leave-isalist- 373102A@xxxxxxxxxxxxx > ________________________________________________________________ Sent via the NewFound Technologies, Inc. - WebMail system at mail.nfti.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jonlists@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')