Mmm... I am familiar with the Code Red Virus attacking in IIS here's an example:
2002-07-26 11:12:07 CodeRedsIPAddress - MyIPAddress 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - - Notice the error code: 500. That's a good error code in this situation. Why is that not occurring in the error in iis_redirect.log:? Sat Jul 20 23:23:56 2002] [jk_isapi_plugin.c (588)]: HttpFilterProc [/scripts/..�/../winnt/system32/cmd.exe] contains forbidden escape sequences. See. That is why I was sort of iffy that it was CodeRed. To me it looks like a bum jk_isapi_plugin.c. An escape sequence is a property of .c files is it not? For example in a Java file \" is an escape squence for " in strings. But if you say otherwise OK. I've learned something more about CodeRed. Thanks. -- George Hester _________________________________ "Ignacio J. Ortega" <[EMAIL PROTECTED]> wrote in message 80F5674514B4D311BAFC0040F6A45EEE2EB829@ntserver">news:80F5674514B4D311BAFC0040F6A45EEE2EB829@ntserver... This is a code red worm attack or something, when you map /* to tomcat ( as in my first response to your questions ), then all the requests without context are redirected to tomcat, hence you see i_r.dll refusing to map that bad request, and you see the result in logs.. if you use the second mapping proposed (/*.jsp) you'll not see any logs about this, because tomcat will not see this requests.. and will not log anything.. Saludos , Ignacio J. Ortega > -----Mensaje original----- > De: news [mailto:[EMAIL PROTECTED]]En nombre de George Hester > Enviado el: 25 de julio de 2002 21:26 > Para: [EMAIL PROTECTED] > Asunto: Weird errors in iis_redirect.log > > > This is using Tomacat with IIS 5 Windows 2000 and the ISAPI > available here: > > http://members.ozemail.com.au/~lampante/howto/tomcat/iisnt/#2 > > In my log I am getting very many errors all the same and they are: > > [Sat Jul 20 23:23:56 2002] [jk_isapi_plugin.c (588)]: HttpFilterProc > [/scripts/..�/../winnt/system32/cmd.exe] contains forbidden > escape sequences. > > Many of these; all the same; except the date changes. They > seem to occur every > hour. > > Can I stop this and if so can you suuggest how? Thanks. > > -- > George Hester > _________________________________ > > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
