I like using URL Scan because it gives me a little bit more assurance but mostly because it logs all illegal page requests in a separate log file, making it easier to see what is "attacking" your web server.
Best of luck! Todd -----Original Message----- From: Jim Grossl [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 16, 2002 5:30 PM To: 'Todd Williamson'; [EMAIL PROTECTED] Subject: RE: IIS log files, can I have your take on these attacks? Hi Todd, the machine is patched. I am not however running the URL Scan filter. But the server is issuing 400 level error messages, and I cannot find any abnormal processes or open ports (using fport). BTW, I see allot of these also, but last weekend was the pits! Jim Grossl Lee Pesky Learning Center Boise, Idaho USA -----Original Message----- From: Todd Williamson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 16, 2002 11:24 AM To: Jim Grossl; [EMAIL PROTECTED] Subject: RE: IIS log files, can I have your take on these attacks? Jim, I see the same log entries all of the time, on most of my web servers. It is the scanning stages of a Nimda or Code Red attacks. If you have Microsoft's URL Scan filter installed, and your IIS server patched (MS has a patch to guard against folder traversal) you shouldn't have too much to worry about. If you can track down the ip addresses where these scans are coming from you may be able to notify their ISP and have the attacking systems pulled offline. Chances are it's a machine that is on "auto-pilot", randomly scanning any machine using IIS. Todd -----Original Message----- From: Jim Grossl [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 15, 2002 11:24 AM To: [EMAIL PROTECTED] Subject: IIS log files, can I have your take on these attacks? 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:22 -0700] "GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 207.225.190.149 -- [14/Jan/2002:10:30:23 -0700] "GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 401 3837 207.225.190.149 - - [14/Jan/2002:10:30:25 -0700] "GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396 I kind of bothers me to post these on an open list (apparently our Web server doesn't need any more "attention") but I would like to know what everyone thinks of these attacks. My Web server logged > 2000 of these attacks over the weekend. I'm pretty sure that attacks are not succeeding, but I've read that if the "%5c" shows up in the Double Decode attack that the file traversal is taking place. Thanks. Jim Grossl
