You should probably pay a little more attention to how and where you
install things to your server. But anyways here is where mine installed to
system32\inetsrv\urlscan
and then read the urlscan.txt before doing anything else.
If you installed your to a different location then do a search
for urlscan :)
Rick
----- Original Message -----
From: "randy" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 25, 2001 9:53 PM
Subject: Re: [IMail Forum] Virus Attacks
> where are the files to edit all i get it read read well i don'thaveth
eread
> file becasue it wasn't on the site it was a bad link can anyone help
instead
> of saying and show wher e the file to edit are.. thanks
>
> [EMAIL PROTECTED]
> ----- Original Message -----
> From: "Matt Robertson" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, September 25, 2001 2:20 AM
> Subject: Re: [IMail Forum] Virus Attacks
>
>
> > Read urlscan.txt completely. You'll find the instructions in there.
> > Remember you are absolutely playing with fire here.
> >
> > On general principles I'd say the only safe thing to do early on is
> disable
> > logging. (EnableLogging=0). I realized a short while ago I'd forgotten
> to
> > shut that off, and after 5 days my log file was 99 mb in size and
growing
> by
> > the minute. Leave the log on for, maybe, 10 minutes or so. Then open
it
> in
> > Notepad and look it over. Once you get bored with that you might want
to
> > disable logging since the file grows so big, so fast with the same stuff
> > over and over again. It was nice to have before Nimda hit, but nowadays
> the
> > thing grows like a weed.
> >
> > -----------------------------------------
> > Matt Robertson [EMAIL PROTECTED]
> > MSB Designs, Inc. http://mysecretbase.com
> > -----------------------------------------
> >
> >
> > ----- Original Message -----
> > From: "randy" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, September 24, 2001 11:15 PM
> > Subject: Re: [IMail Forum] Virus Attacks
> >
> >
> > i'v installed it in default mode but ho wdo you edit the file or files
to
> > add to it and edit it anyhelp..
> >
> > [EMAIL PROTECTED]
> > ----- Original Message -----
> > From: "Bording Ostergaard" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, September 24, 2001 11:48 PM
> > Subject: Re: [IMail Forum] Virus Attacks
> >
> >
> > >
> > > Run it at the command line with a /? and expand. If this doesn't make
> > > sense you should probably step away as it is not at all user friendly
to
> > > set up and it will neuter your server with a vengeance if not set up
> > > properly. No traffic allowed = absolute security, and no server.
> > >
> > > Bording
> > >
> > >
> > > At 11:29 PM 09/24/2001 -0500, you wrote:
> > > >how do ya use urlscan i DL it but theres not instructions on how to
> edit
> > it
> > > >or where to edit it.
> > > >
> > > >[EMAIL PROTECTED]
> > > >[EMAIL PROTECTED]
> > > >
> > > >----- Original Message -----
> > > >From: "Bording Ostergaard" <[EMAIL PROTECTED]>
> > > >To: <[EMAIL PROTECTED]>
> > > >Sent: Monday, September 24, 2001 11:02 PM
> > > >Subject: RE: [IMail Forum] Virus Attacks
> > > >
> > > >
> > > > >
> > > > > Nope, had to modify it. Run it at the command line with a /? and
> > expand
> > > >it
> > > > > to a folder first. Then read, read, read .....
> > > > >
> > > > > Be careful as it will go right ahead and install itself if you
just
> > run it
> > > > > from Explorer. Nasty little habit that is and it puts you straight
> > into
> > > >the
> > > > > glue without any preparation and understanding.
> > > > >
> > > > > BE CAUTIOUS! but it does work very well so far.
> > > > >
> > > > > Bording
> > > > >
> > > > >
> > > > > At 10:15 PM 09/24/2001 -0500, you wrote:
> > > > > >Did you use the default settings to install URLScan? Any
> particular
> > > >changes
> > > > > >you recommend to those trying it out?
> > > > > >
> > > > > >Todd
> > > > > >
> > > > > >-----Original Message-----
> > > > > >From: [EMAIL PROTECTED]
> > > > > >[mailto:[EMAIL PROTECTED]]On Behalf Of Bording
> > > > > >Ostergaard
> > > > > >Sent: Monday, September 24, 2001 9:25 PM
> > > > > >To: [EMAIL PROTECTED]
> > > > > >Subject: Re: [IMail Forum] Virus Attacks
> > > > > >
> > > > > >
> > > > > >
> > > > > >URLScan just released by Microsoft is doing a great job on our
> server
> > by
> > > > > >filtering malformed and disallowed requests before they ever get
> > > >submitted
> > > > > >to IIS. We turned on the log and in 16 hours we've picked up
> nearly
> > a
> > > >meg
> > > > > >of reports on ongoing hacks and probes. Bastards!
> > > > > >
> > > > > >Read carefully before installing though as it is still a in "roll
> up
> > your
> > > > > >sleeves" release mode and is unsupported.
> > > > > >
> > > > > >So far our server has been happy with it in place with no
problems
> or
> > > > > >memory leaks and all sites are running just fine without any
> apparent
> > > > > >performance degradation. Be mindful though and test it on a
> > > >non-production
> > > > > >server until you understand just how to configure it properly or
it
> > will
> > > > > >shut you down.
> > > > > >
> > > > > >Bording
> > > > > >
> > > > > >
> > > > > >At 08:52 PM 09/24/2001 -0500, you wrote:
> > > > > > >Does anyone know of a utility that will automatically block
those
> > IIS
> > > > > > >servers that constantly try to attack an Imail server to stop
> these
> > > > > >constant
> > > > > > >attempts to attack port 80? Has anyone written a script that
> will
> > add
> > > >them
> > > > > > >to the kill file? I think this would be a great
> > > > > > >script/software/enhancement!!!!
> > > > > > >
> > > > > > >20010924 204806 Socket Error - 63.237.172.134 Error while
writing
> > > >sockect
> > > > > > >due to error 10054 or malicious connection type.
> > > > > > >20010924 204806 Socket Error - 63.237.172.134 Error while
writing
> > > >sockect
> > > > > > >due to error 10054 or malicious connection type.
> > > > > > >20010924 204806 Socket Error - 63.237.172.134 Error while
writing
> > > >sockect
> > > > > > >due to error 10054 or malicious connection type.
> > > > > > >20010924 204807 Info - 63.237.172.134 GET
> /MSADC/root.exe?/c+dir
> > > > > >HTTP/1.0.
> > > > > > >
> > > > > > >Anyone
> > > > > > >
> > > > > > >Tim D
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >_______________________________________________________________
> > > > > > >Sent using Novelty Mail the FREE EMAIL SERVICE. Click here
> > > > > > >http://noveltymail.com to get your own free email using this or
> ANY
> > of
> > > >our
> > > > > > >fun domain names.
> > > > > > >
> > > > > > >Please visit http://www.ipswitch.com/support/mailing-lists.html
> > > > > > >to be removed from this list.
> > > > > > >
> > > > > > >An Archive of this list is available at:
> > > > > > >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> > > > > >
> > > > > >
> > > > > >Please visit http://www.ipswitch.com/support/mailing-lists.html
> > > > > >to be removed from this list.
> > > > > >
> > > > > >An Archive of this list is available at:
> > > > > >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> > > > > >
> > > > > >
> > > > > >Please visit http://www.ipswitch.com/support/mailing-lists.html
> > > > > >to be removed from this list.
> > > > > >
> > > > > >An Archive of this list is available at:
> > > > > >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> > > > >
> > > > >
> > > > > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > > > > to be removed from this list.
> > > > >
> > > > > An Archive of this list is available at:
> > > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> > > > >
> > > > >
> > > >
> > > >
> > > >Please visit http://www.ipswitch.com/support/mailing-lists.html
> > > >to be removed from this list.
> > > >
> > > >An Archive of this list is available at:
> > > >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> > >
> > >
> > > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > > to be removed from this list.
> > >
> > > An Archive of this list is available at:
> > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> > >
> > >
> >
> >
> > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > to be removed from this list.
> >
> > An Archive of this list is available at:
> > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> >
> >
> >
> > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > to be removed from this list.
> >
> > An Archive of this list is available at:
> > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
> >
> >
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
