How did you arrive at the fact that this IS a nimda attack? It could be anything that's exploiting web directory traversal?
At 11:01 AM 4/10/2002 +0530, vishal pranjale wrote: >Hi Fei, >That's nimda attack >Nimda worm is attacking on your web server. >So nothing to do with pix >If your web server is not patched for Nimda then you will be in big trouble >so just patch it for nimda. >Urlscan is also much better option but test it before installing. > >Regards >Vishal > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]]On Behalf Of Fei Yang >Sent: Tuesday, April 09, 2002 12:26 AM >To: [EMAIL PROTECTED] >Subject: Attack through Port 80 > > >Last week I checked our IIS web server's log file and found the following >attack logs. I am using a Cisco PIX and opened port 80 for our web server. >Could anyone tell me what kind of attack these are and how to block them out >of my network by PIX? > >#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem >cs-uri-query sc-status cs(User-Agent) >2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET >/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - >2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET >/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - >2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET >/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - >2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET >/scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - > >Thansk, >Fei. > > > >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls > >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
