You can block these attempts by closing port 80. Course that will hurt your IIS httpd. Your best bet is to make sure your IIS is fully patched to prevent these attacks from having any afftect. Else, you need another product in place to try and catch and filter these attack attempts, I do not thin the pix can do it, I have not seen others respond they think it can either.
Thanks, Ron DuFresne On Mon, 8 Apr 2002, Fei Yang wrote: > Last week I checked our IIS web server's log file and found the following attack >logs. I am using a Cisco PIX and opened port 80 for our web server. Could anyone tell >me what kind of attack these are and how to block them from my network by PIX? > > #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query >sc-status cs(User-Agent) > 2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET >/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > 2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET >/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > 2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET >/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > 2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET >/scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - > > Thansk, > Fei. > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
