Thanks. I hadn't used the Lockdown tool before, I did all my security manually so I knew exactly what was chaning on the server.
I'm excited to see my logs after today. Thanks again, j -----Original Message----- From: Ken Schaefer [mailto:[EMAIL PROTECTED]] Sent: Monday, November 18, 2002 5:48 PM To: IIS50 Discussions Subject: Re: Filtering DDOS, Scans and Hacks Possible options: a) Don't have websites that listen on IP addresses alone. Set your websites to listen on IP Address + Host Header. Since these worms attack by using HTTP 1.0 requests (IP address only), your website logs will never get these logged. and/or b) Use URLScan Cheers Ken ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From: "Fritts,Jordan" <[EMAIL PROTECTED]> Subject: Filtering DDOS, Scans and Hacks I'm finally sick of it - logs full of requests used to, well, hack my system, searching for directories and permissions that I've long locked down and patched. **** Example Requests ***** /cgi-bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe, /c+dir+c:\, /winnt/system32/cmd.exe, /c+dir+c:\, /d/winnt/system32/cmd.exe, /c+dir+c:\, /iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe, /c+dir+c:\, ***** Anyway, as I was preparing to run a WebTrends, I was scanning the logs for a new site we put up and all it is are these types of requests. Essentially, we'll always probably have to deal with these things as they are too many machines out there that are infected with administrators that don't know/don't care/don't know what to do about it. Anyway (again) I'm looking for ways to stop these requests before they ever hit my logs. I'd like to stop them at the firewall, but that hasn't happened yet. Becuase I need to stop them at the IIS Server, I'm thinking the only way to do this is to install an ISAPI filter that will just ignore these requests. Does anyone out there have a filter like this, or another method, that keeps my logs a little cleaner? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- You are currently subscribed to iis50 as: [EMAIL PROTECTED] To unsubscribe send a blank email to %%email.unsub%% --------- Administrated by 15 Seconds : http://www.15Seconds.com List Archives/Search : http://local.15Seconds.com/search Subscription Information : http://www.15seconds.com/listserv.htm Advertising Information: http://www.internet.com/mediakit/ --- You are currently subscribed to iis50 as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] --------- Administrated by 15 Seconds : http://www.15Seconds.com List Archives/Search : http://local.15Seconds.com/search Subscription Information : http://www.15seconds.com/listserv.htm Advertising Information: http://www.internet.com/mediakit/
