Hi Fei, That's nimda attack Nimda worm is attacking on your web server. So nothing to do with pix If your web server is not patched for Nimda then you will be in big trouble so just patch it for nimda. Urlscan is also much better option but test it before installing.
Regards Vishal -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Fei Yang Sent: Tuesday, April 09, 2002 12:26 AM To: [EMAIL PROTECTED] Subject: Attack through Port 80 Last week I checked our IIS web server's log file and found the following attack logs. I am using a Cisco PIX and opened port 80 for our web server. Could anyone tell me what kind of attack these are and how to block them out of my network by PIX? #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent) 2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - Thansk, Fei. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
