RE: Why won't Destination set work?
- From: "Jay J. Mobley" <jmobley@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 4 Mar 2002 15:03:28 -0800
If you are ONLY using FQDN's in your destination sets then Codered should not
be able to get in.
-----Original Message-----
From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
Sent: Monday, March 04, 2002 2:39 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Why won't Destination set work?
http://www.ISAserver.org
I've create a destination set to block code red. By these infected servers are
still getting past my ISA server and I can't figure
out why. Can someone please help?
It looks like this
Destination Set-Block CodeRed
Destination Path
* /scripts/root.exe /c+dir
* /MSADC/root.exe /c+dir
* /c/winnt/system32/cmd.exe /c+dir
* /d/winnt/system32/cmd.exe /c+dir
* /scripts/..%5c../winnt/system32/cmd.exe
/c+dir
*
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir
*
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir
*
/msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../winnt/system32/cmd.exe /c+dir
* /scripts/..Á�../winnt/system32/cmd.exe
/c+dir
* /scripts/winnt/system32/cmd.exe /c+dir
* /winnt/system32/cmd.exe /c+dir
* /winnt/system32/cmd.exe /c+dir
* /scripts/..%5c../winnt/system32/cmd.exe
/c+dir
* /scripts/..%5c../winnt/system32/cmd.exe
/c+dir
* /scripts/..%5c../winnt/system32/cmd.exe
/c+dir
* /scripts/..%2f../winnt/system32/cmd.exe
/c+dir
My site and Content Rule "Block CodeRed" is defined as
Scope-Array,Action-Deny,Applies To-Any
Request,Schedule-Always,Destination-Block CodeRed,Content-All
Even with all of this set I still get this trash logging to my webserver's
logfiles.
/scripts/root.exe /c+dir 404 2 3396 72 47 HTTP/1.0 www - - -
2002-03-04 21:52:51 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/MSADC/root.exe /c+dir 403 5 3439 70 31 HTTP/1.0 www - - -
2002-03-04 21:52:55 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/c/winnt/system32/cmd.exe /c+dir 404 3 3396 80 32 HTTP/1.0
www - - -
2002-03-04 21:52:59 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/d/winnt/system32/cmd.exe /c+dir 404 3 3396 80 31 HTTP/1.0
www - - -
2002-03-04 21:53:03 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 96 0
HTTP/1.0 www - - -
2002-03-04 21:53:07 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir
404 3 3396 117 31 HTTP/1.0 www - - -
2002-03-04 21:53:11 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir
404 3 3396 117 31 HTTP/1.0 www - - -
2002-03-04 21:53:15 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../winnt/system32/cmd.exe /c+dir
403 5 3439 145 16 HTTP/1.0 www - - -
2002-03-04 21:53:19 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/scripts/..Á�../winnt/system32/cmd.exe /c+dir 500 123 0 97 16
HTTP/1.0 www - - -
2002-03-04 21:53:23 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 404 3 3396 97 31
HTTP/1.0 www - - -
2002-03-04 21:53:27 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/winnt/system32/cmd.exe /c+dir 404 3 3396 97 31 HTTP/1.0
www - - -
2002-03-04 21:53:31 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/winnt/system32/cmd.exe /c+dir 404 3 3396 97 31 HTTP/1.0
www - - -
2002-03-04 21:53:35 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 98 0
HTTP/1.0 www - - -
2002-03-04 21:53:39 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 96 0
HTTP/1.0 www - - -
2002-03-04 21:53:43 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 87 0 100 0
HTTP/1.0 www - - -
2002-03-04 21:53:47 12.96.204.13 - W3SVC1 WEBKEEPER 10.0.0.32 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 87 0 96 0
HTTP/1.0 www - - -
Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005
-----Original Message-----
From: Greg Foulks [mailto:greg.foulks@xxxxxxxx]
Sent: Monday, March 04, 2002 2:47 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Need Help with a Published Server
http://www.ISAserver.org
I changed a published website to a published server.
Basically I removed the rule from the Web Published rules
Then I created a Rule in the Server Publishing Rules that points and external
IP to and Internal IP using a Port 80 Inbound
protocol.
Everything seems to work just fine for awhile then all of a sudden my website
stops being served. This error is given in the browser
403 Forbidden - The server denies the specified Uniform Resource Locator (URL).
Contact the server administrator. (12202)
Internet Security and Acceleration Server
If I reboot the ISA server it returns to working for awhile then again it just
stops.
Does anyone have an idea why this is going on? I shouldn't have to do this in
order to serve up a website.
Before you ask why I'm using Server Publishing rather than Web Publishing---- I
need the detailed info for reporting that server
publishing delivers.
Thanks for any help!
Greg Foulks, MCP
NewFound Technologies, Inc.
http://www.nfti.com
Email: greg.foulks@xxxxxxxx
Voice: 614.318.5036
Fax: 614.318.5005
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg.foulks@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jmobley@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
