RE: !!!!URGENT - SCARY website LOGS!!!!
- From: jonlists@xxxxxxxxx
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 27 Mar 2002 20:20:09 -0600
I leave them in the logs. Every time someone starts complaining about $$$
spent on security, I show them the logs.
Jon Johnston
Creative Business Solutions
IBM, Lotus, Microsoft Consultants
http://www.cbsol.com
952-544-1108
"Greg Foulks"
<greg.foulks@nfti To: "[ISAserver.org
Discussion List]" <isalist@xxxxxxxxxxxxx>
.com> cc:
Subject: [isalist] RE:
!!!!URGENT - SCARY website LOGS!!!!
03/27/2002 06:09
AM
Please respond to
"[ISAserver.org
Discussion List]"
http://www.ISAserver.org
These machines are infected with the CodeRed virus are are looking
for other machines to infect. What you are seeing in your logs
show that your server is patched and is not allowing a connection
to any of the requests.
If your like me? I couldn't stand see these entries in my logs so
I took the following action.
1) Installed URLScan on all of my Webservers.
(URL may wrap)
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/tools/URLscan.asp
Out of the box it will stop these requests before they even get to
your website. You might want to tweak it a bit however it is not
required.
2) I've been keeping a list of each machine and sendin emails to
the Host Admins letting them know they have an infected machine.
Showing them the logs URLScan writes.
Lastly I've created a Client Set of these machines that are trying
to infect my webservers and setup a Deny Protocol and applied
those IP's to the Deny Protocol. Now they no longer have access to
my network.
Hope this helps?
Greg
---------- Original Message ----------------------------------
From: "Mark Hippenstiel" <mark@xxxxxxxxxxxx>
Reply-To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Wed, 27 Mar 2002 09:48:20 +0100
>http://www.ISAserver.org
>
>
>Hello Sushil,
>
>I do think that someone is trying to exploit well known security
holes in
>IIS. I am getting these every now and then and am not too worried
about
>them, since the requests are being logged with a 404. You will
find
>corresponding information in the MS security bulletins if I'm not
completely
>mistaken.
>
>I remember having seen the issue explained somewhere, but wasn't
able to
>find it on the MS site, sorry.
>
>Mark
>
>> -----Original Message-----
>> From: Sushil Bhalla [mailto:sushilb@xxxxxxxxxxxxxxxxx]
>> Sent: Wednesday, March 27, 2002 8:09 AM
>> To: [ISAserver.org Discussion List]
>> Subject: [isalist] RE: !!!!URGENT - SCARY website LOGS!!!!
>>
>>
>> http://www.ISAserver.org
>>
>>
>> Thanks very much Joseph for your comments.
>>
>> Actually, I would like to have W2K, E2K, ISA, ISM all on
seperate servers
>> but I have SBS which limits me to one server only. If there is
a way
>> around this problem, please let me know. I will be very much
interested in
>> having all the processes on seperate servers.
>>
>> Regards,
>>
>> Sushil Bhalla
>>
>>
>> > It is not always a good idea to keep ISA on the same machine
with all
>> > the other applications that you mentioned. =20
>> > The 404 error code says that your ok meaning url not found.
>> >
>> > Joseph
>> >
>> > -----Original Message-----
>> > From: Sushil Bhalla [mailto:sushilb@xxxxxxxxxxxxxxxxx]=20
>> > Sent: Tuesday, March 26, 2002 10:07 PM
>> > To: [ISAserver.org Discussion List]
>> > Subject: [isalist] !!!!URGENT - SCARY website LOGS!!!!
>> >
>> > http://www.ISAserver.org
>> >
>> >
>> > Hello All,
>> >
>> > I have W2K, E2K, ISA2K, ISM all installed on one server.
>> >
>> > Recently I have allowed inbound HTTPServer Inbound (port 80)
connection
>> > (through ISA PACKET FILTERING) to allow my website to be
viewed and
>> > after
>> > going though my website logs, I got very worried.
>> >
>> > Following is what I am getting my logs every few hours.=20
>> >
>> > Can someone tell me URGENTALLY what kind of request are
these? Should I
>> > be
>> > worried? What can I do to prevent these?
>> >
>> > Thanks in advance for any help.
>> >
>> > Sushil Bhalla
>> >
>> > #Date: 2002-03-27 00:19:03
>> > #Fields: date time c-ip cs-username s-sitename s-computername
s-ip
>> > s-port
>> > cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status
sc-bytes
>> > cs-bytes time-taken cs-version cs-host cs(User-Agent) cs
(Cookie)
>> > cs(Referer)
>> > 2002-03-27 00:19:03 203.200.51.30 - W3SVC3 SERVER
mye.xte.rna.lip 80 GET
>> > /scripts/root.exe /c+dir 404 3 3396 72 15 HTTP/1.0 www - - -
>> > 2002-03-27 00:19:04 203.200.51.30 - W3SVC3 SERVER
mye.xte.rna.lip 80 GET
>> > /MSADC/root.exe /c+dir 404 3 3396 70 0 HTTP/1.0 www - - -
>> > 2002-03-27 00:19:09 203.200.51.30 - W3SVC3 SERVER
mye.xte.rna.lip 80 GET
>> > /c/winnt/system32/cmd.exe /c+dir 404 3 3396 80 0 HTTP/1.0
www - - -
>> > 2002-03-27 00:19:10 203.200.51.30 - W3SVC3 SERVER
mye.xte.rna.lip 80 GET
>> > /d/winnt/system32/cmd.exe /c+dir 404 3 3396 80 16 HTTP/1.0
www - - -
>> > 2002-03-27 00:19:11 203.200.51.30 - W3SVC3 SERVER
mye.xte.rna.lip 80 GET
>> > /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 3 3396 96
16 HTTP/1.0
>> > www - - -
>> > 2002-03-27 00:19:14 203.200.51.30 - W3SVC3 SERVER
mye.xte.rna.lip 80 GET
>> > /_vti_bin/..%5c../..%5c../..%
5c../winnt/system32/cmd.exe /c+dir 404 3
>> > 3396
>> > 117 0 HTTP/1.0 www - - -
>> > 2002-03-27 00:19:19 203.200.51.30 - W3SVC3 SERVER
mye.xte.rna.lip 80 GET
>> > /_mem_bin/..%5c../..%5c../..%
5c../winnt/system32/cmd.exe /c+dir 404 3
>> > 3396
>> > 117 0 HTTP/1.0 www - - -
>> > 2002-03-27 00:19:20 203.200.51.30 - W3SVC3 SERVER
mye.xte.rna.lip 80 GET
>> >
>> /msadc/..%5c../..%5c../..%
5c/..=C1=1C../..=C1=1C../..=C1=1C../winnt/syste=
>> > m32/cmd.exe
>> > /c+dir 404 3 3396 145 0 HTTP/1.0 www - - -
>> > 2002-03-27 00:19:22 203.200.51.30 - W3SVC3 SERVER
mye.xte.rna.lip 80 GET
>> > /scripts/..=C1=1C../winnt/system32/cmd.exe /c+dir 404 3 3396
97 0 =
>> > HTTP/1.0
>> > www
>> > - - -
>> > 2002-03-27 00:19:23 203.200.51.30 - W3SVC3 SERVER
mye.xte.rna.lip 80 GET
>> > /scripts/winnt/system32/cmd.exe /c+dir 404 3 3396 97 15
HTTP/1.0 www - -
>> > -
>> > 2002-03-27 00:19:25 203.200.51.30 - W3SVC3 SERVER
mye.xte.rna.lip 80 GET
>> > /winnt/system32/cmd.exe /c+dir 404 3 3396 97 0 HTTP/1.0 www -
- -
>> > 2002-03-27 00:19:27 203.200.51.30 - W3SVC3 SERVER
mye.xte.rna.lip 80 GET
>> > /winnt/system32/cmd.exe /c+dir 404 3 3396 97 16 HTTP/1.0 www -
- -
>> >
>> > ------------------------------------------------------
>> > You are currently subscribed to this ISAserver.org Discussion
List as:
>> > cismic@xxxxxxx
>> > To unsubscribe send a blank email to leave-isalist-
373102A@xxxxxxxxxxxxx
>>
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion
>> List as: mark@xxxxxxxxxxxx
>> To unsubscribe send a blank email to leave-isalist-
373102A@xxxxxxxxxxxxx
>>
>
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion
List as: greg.foulks@xxxxxxxx
>To unsubscribe send a blank email to leave-isalist-
373102A@xxxxxxxxxxxxx
>
________________________________________________________________
Sent via the NewFound Technologies, Inc. - WebMail system at
mail.nfti.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jonlists@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
