I'm using it in default mode myself. However, since I run ColdFusion
scripts exclusively and no ASP I've also added the ASP extensions to the
reject list.
Doesn't do squat to prevent the bandwidth necessary to turn away the
requests, but it does keep the logs a LOT cleaner. One thing, though: I've
got this one survivor I can't get out of the IIS logs. I get one per attack
salvo (for lack of a better term):
2001-09-23 07:06:00 216.198.214.226 - W3SVC91 MSB1 xxx.xxx.221.190 80 - - -
404 2 245 72 0 HTTP/1.0 www - - -
Any idea how to filter that one out, anyone? If I can get rid of that then
my IIS logs (and yours)will be completely clean.
-----------------------------------------
Matt Robertson [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
-----------------------------------------
----- Original Message -----
From: "Todd Holt" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, September 24, 2001 8:15 PM
Subject: RE: [IMail Forum] Virus Attacks
Did you use the default settings to install URLScan? Any particular changes
you recommend to those trying it out?
Todd
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Bording
Ostergaard
Sent: Monday, September 24, 2001 9:25 PM
To: [EMAIL PROTECTED]
Subject: Re: [IMail Forum] Virus Attacks
URLScan just released by Microsoft is doing a great job on our server by
filtering malformed and disallowed requests before they ever get submitted
to IIS. We turned on the log and in 16 hours we've picked up nearly a meg
of reports on ongoing hacks and probes. Bastards!
Read carefully before installing though as it is still a in "roll up your
sleeves" release mode and is unsupported.
So far our server has been happy with it in place with no problems or
memory leaks and all sites are running just fine without any apparent
performance degradation. Be mindful though and test it on a non-production
server until you understand just how to configure it properly or it will
shut you down.
Bording
At 08:52 PM 09/24/2001 -0500, you wrote:
>Does anyone know of a utility that will automatically block those IIS
>servers that constantly try to attack an Imail server to stop these
constant
>attempts to attack port 80? Has anyone written a script that will add them
>to the kill file? I think this would be a great
>script/software/enhancement!!!!
>
>20010924 204806 Socket Error - 63.237.172.134 Error while writing sockect
>due to error 10054 or malicious connection type.
>20010924 204806 Socket Error - 63.237.172.134 Error while writing sockect
>due to error 10054 or malicious connection type.
>20010924 204806 Socket Error - 63.237.172.134 Error while writing sockect
>due to error 10054 or malicious connection type.
>20010924 204807 Info - 63.237.172.134 GET /MSADC/root.exe?/c+dir
HTTP/1.0.
>
>Anyone
>
>Tim D
>
>
>
>
>
>
>
>_______________________________________________________________
>Sent using Novelty Mail the FREE EMAIL SERVICE. Click here
>http://noveltymail.com to get your own free email using this or ANY of our
>fun domain names.
>
>Please visit http://www.ipswitch.com/support/mailing-lists.html
>to be removed from this list.
>
>An Archive of this list is available at:
>http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
