So, if you use the "remove the header" method.... does it allow ColdFusion to keep on working???
Chris Neppes wrote: > Be careful with URLScan if you are using Cold Fusion application server > -- the way the current version replaces the Server header wreaks havoc > with CFM pages. In fact, removing the header is the way to go when using > URLScan, since if you try replacing the header it moves to the bottom of > the header order -- which pretty much gives away that you are running > URLScan on IIS. > > Best, > Chris > > ::::::::::::::::::::::::::::::::::::::::::::: > Chris Neppes > Port80 Software, Inc. > www.port80software.com > 5252 Balboa Ave., Ste. 605 > San Diego, CA 92117 > 858.268.7960 voice > 619.606.2860 cell > 858.268.7760 fax > > -----Original Message----- > From: Fritts,Jordan [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, November 19, 2002 3:19 PM > To: IIS50 Discussions > Subject: RE: Filtering DDOS, Scans and Hacks > > I just setup URLscan 20 minutes after I heard about it. > > Currently our individual dept. isn't using a firewall, but our greater > University is. I do port blocking and such, but I wanted a pre-cursor to > the request hitting my logs. From the research I've done today, URLscan > is quite the tool. > > thanks, j > > -----Original Message----- > From: Paul Calvano [mailto:[EMAIL PROTECTED]] > Sent: Monday, November 18, 2002 5:06 PM > To: IIS50 Discussions > Subject: Re: Filtering DDOS, Scans and Hacks > > Have you looked into URLScan? URLScan is an ISAPI filter availble from > Microsoft that does just what you are asking. It prevents traffic from > a > criteria that you can set from accessing your website. Additionally, > it logs all rejected requests to its own logfile, so you can routinely > make sure that > you are not blocking legitimate requests. > > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur > ity/tools/tools/urlscan.asp > > What kind of firewall are you using? Some firewalls are customizable > for blocking traffic based on HTTP requests. > > Hope this helps. > Paul > > 11/18/2002 6:59:15 PM, "Fritts,Jordan" <[EMAIL PROTECTED]> > wrote: > > >I'm finally sick of it - logs full of requests used to, well, hack my > system, searching for directories and permissions that I've long locked > down and > patched. > > > >**** Example Requests ***** > >/cgi-bin/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe, > /c+dir+c:\, > >/winnt/system32/cmd.exe, /c+dir+c:\, > >/d/winnt/system32/cmd.exe, /c+dir+c:\, > > /iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/system32/cmd.exe, > /c+dir+c:\, > >***** > > > >Anyway, as I was preparing to run a WebTrends, I was scanning the logs > for a new site we put up and all it is are these types of requests. > Essentially, we'll always probably have to deal with these things as > they are too many machines out there that are infected with > administrators that don't > know/don't care/don't know what to do about it. > > > >Anyway (again) I'm looking for ways to stop these requests before they > ever hit my logs. I'd like to stop them at the firewall, but that hasn't > happened > yet. Becuase I need to stop them at the IIS Server, I'm thinking the > only way to do this is to install an ISAPI filter that will just ignore > these requests. > > > >Does anyone out there have a filter like this, or another method, that > keeps my logs a little cleaner? > > > >tia, j > > > > > >--- > >You are currently subscribed to iis50 as: [EMAIL PROTECTED] > >To unsubscribe send a blank email to %%email.unsub%% > > > >--------- > >Administrated by 15 Seconds : http://www.15Seconds.com > >List Archives/Search : http://local.15Seconds.com/search > >Subscription Information : http://www.15seconds.com/listserv.htm > >Advertising Information: http://www.internet.com/mediakit/ > > > > > > --- > You are currently subscribed to iis50 as: [EMAIL PROTECTED] > To unsubscribe send a blank email to %%email.unsub%% > > --------- > Administrated by 15 Seconds : http://www.15Seconds.com > List Archives/Search : http://local.15Seconds.com/search > Subscription Information : http://www.15seconds.com/listserv.htm > Advertising Information: http://www.internet.com/mediakit/ > > --- > You are currently subscribed to iis50 as: [EMAIL PROTECTED] > To unsubscribe send a blank email to > %%email.unsub%% > > --------- > Administrated by 15 Seconds : http://www.15Seconds.com > List Archives/Search : http://local.15Seconds.com/search > Subscription Information : http://www.15seconds.com/listserv.htm > Advertising Information: http://www.internet.com/mediakit/ > > --- > You are currently subscribed to iis50 as: [EMAIL PROTECTED] > To unsubscribe send a blank email to %%email.unsub%% > > --------- > Administrated by 15 Seconds : http://www.15Seconds.com > List Archives/Search : http://local.15Seconds.com/search > Subscription Information : http://www.15seconds.com/listserv.htm > Advertising Information: http://www.internet.com/mediakit/ -- Brian Rideout, President BKR Studio Inc. 110 E Madison Street South Bend, IN 46601 574-245-9576 http://www.bkrstudio.com --- You are currently subscribed to iis50 as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] --------- Administrated by 15 Seconds : http://www.15Seconds.com List Archives/Search : http://local.15Seconds.com/search Subscription Information : http://www.15seconds.com/listserv.htm Advertising Information: http://www.internet.com/mediakit/
