I still think he can do something about it. The IP Audit command http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/gl. htm#xtocid8 seems to allow attack signature recognition. This was not available when I last worked on a PIX but it seems pretty similar to a feature on Netscreen models.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Shay Hugi Sent: Friday, April 12, 2002 11:36 AM To: [EMAIL PROTECTED] Subject: RE: Attack through Port 80 (Clifford Thurber) Yeah i guess there is nothing to do about it. As long as you want to keep the server running. what kind of pages are you serving? maybe you can switch to apache. anyway if you need any patch for your IIS Server, just log into www.microsoft.com/technet or use microsoft new software to detect server flaws "MBSA (Microsoft Baseline Security Analyzer)" download from here... http://download.microsoft.com/download/win2000platform/Install/1.0/NT5XP/EN- US/mbsasetup.msi ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, April 12, 2002 5:57 PM Subject: Firewalls digest, Vol 1 #675 - 9 msgs > Send Firewalls mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.gnac.net/mailman/listinfo/firewalls > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Firewalls digest..." > > > Today's Topics: > > 1. RE: Attack through Port 80 (Clifford Thurber) > 2. Re: Bridging vs. Routing Firewalls. (Clifford Thurber) > 3. Re: Cisco IDS (Paul D. Robertson) > 4. Re: Bridging vs. Routing Firewalls. (Alexander.O'[EMAIL PROTECTED]) > 5. RE: Cisco IDS (Noonan, Wesley) > 6. Re: Bridging vs. Routing Firewalls. (Diederik Schouten) > 7. Re: Bridging vs. Routing Firewalls. (Clifford Thurber) > 8. Re: Bridging vs. Routing Firewalls. (Diederik Schouten) > 9. RE: Cisco IDS (Paul Robertson) > > --__--__-- > > Message: 1 > Date: Fri, 12 Apr 2002 09:46:38 -0400 > From: Clifford Thurber <[EMAIL PROTECTED]> > Subject: RE: Attack through Port 80 > To: [EMAIL PROTECTED], Fei Yang <[EMAIL PROTECTED]> > Cc: firewalls <[EMAIL PROTECTED]> > > How did you arrive at the fact that this IS a nimda attack? It could be > anything that's exploiting web directory traversal? > > At 11:01 AM 4/10/2002 +0530, vishal pranjale wrote: > >Hi Fei, > >That's nimda attack > >Nimda worm is attacking on your web server. > >So nothing to do with pix > >If your web server is not patched for Nimda then you will be in big trouble > >so just patch it for nimda. > >Urlscan is also much better option but test it before installing. > > > >Regards > >Vishal > > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED]]On Behalf Of Fei Yang > >Sent: Tuesday, April 09, 2002 12:26 AM > >To: [EMAIL PROTECTED] > >Subject: Attack through Port 80 > > > > > >Last week I checked our IIS web server's log file and found the following > >attack logs. I am using a Cisco PIX and opened port 80 for our web server. > >Could anyone tell me what kind of attack these are and how to block them out > >of my network by PIX? > > > >#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem > >cs-uri-query sc-status cs(User-Agent) > >2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET > >/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > >2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET > >/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > >2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET > >/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - > >2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET > >/scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - > > > Date: Fri, 12 Apr 2002 15:41:17 +0100 > > > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
