RE: IIS PERMISIONS !!
If its IIS4: Got to IIS Aministrator and check the property pages for the web, and the individual pages/folders where the forum is. One of the tabs is Directory Security. Click the Edit button in the Anonymouse Access and Authentication Control area. If Windows Challenge response is the only option checked here, that is your problem. If you want it open to everyone, check the top option. If its IIS5: If its not something similar to this, I don't know. I haven't played with IIS5 yet... -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 25, 2001 11:13 AM To: NT System Admin Issues Subject: IIS PERMISIONS !! I have a website that has a message board. I have set permisions on the Hard Drive and on the MMC to allow read and write etc It still prompts to enter a password and username. WHY? I have tried like crazy to have it not do that but it does. here is the site just click on the forums link to check it out. Thanks http://66.45.36.187/BelchingToadClan/ Tiffany Belcher Web Developer - Network Administrator [EMAIL PROTECTED] Want to unsub? Do that here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmintext_mod e=0lang=english Want to unsub? Do that here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmintext_mode=0lang=english
RE: WARNING: Hacker Alert
Title: RE: WARNING: Hacker Alert I have found these entries in my logs. How do I know if the commands were successfull? Is the fact that it was logged and indicator that the command had a problem (failed)? -Original Message-From: Jerry Gamblin [mailto:[EMAIL PROTECTED]]Sent: Tuesday, September 18, 2001 11:19 AMTo: NT System Admin IssuesSubject: RE: WARNING: Hacker Alert Look at your Web Server logs for the following files to be opened... /winnt/system32/cmd.exe /scripts/root.exe /MSADC/root.exe /c/winnt/system32/cmd.exe /d/winnt/system32/cmd.exe /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe /scripts/..Á ../winnt/system32/cmd.exe Its best to use a log analzyer to see the information clearly. I like to use Bassic Traffic Reporter http://www.householdventures.com/software.htm . By no means is it the best or the only one, but it works for me and its free. Jerry Gamblin Technology Specialist Linn State Technical College One Technology Drive Linn, MO 65051 [EMAIL PROTECTED] www.linnstate.edu 573-897-5240 -Original Message- From: Laura Swartout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 10:47 AM To: NT System Admin Issues Subject: RE: WARNING: Hacker Alert I'm new to IS admin. What logs should I be looking at? I apply all security patches as they come out so I was not hit by CodeRed. -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 10:19 AM To: NT System Admin Issues Subject: RE: WARNING: Hacker Alert Here is a site that has been hit http://216.39.178.32 -Original Message- From: Jason Morris [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 7:59 AM To: NT System Admin Issues Subject: RE: WARNING: Hacker Alert CodeRed seems to have dwindled to nothing on my logs. But it's being replaced with the EXACT same lines you have below, and they stay consistent with the code red 2 methods of attacking the more local subnets. Jason Morris CCDA CCNP Network Administrator MJMC, Inc. 708-225-2350 [EMAIL PROTECTED] -Original Message- From: Jason Morris [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:50 AM To: NT System Admin Issues Cc: '[EMAIL PROTECTED]' Subject: RE: WARNING: Hacker Alert Yes. It seems to be systems I have previously monitored hitting me with codered attacks. I bet someone is activating all of their children. Jason Morris CCDA CCNP Network Administrator MJMC, Inc. 708-225-2350 [EMAIL PROTECTED] -Original Message- From: xylog [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 18, 2001 9:45 AM To: NT System Admin Issues Subject: WARNING: Hacker Alert All my public facing web servers at home and at my office have shown a huge continuous hacking activity. Has anyone seen similar? I fear this may be code red related or automated. Please comment if you have seen similar. Here is an excerpt from one logfile: 63.101.9.107, -, 9/18/01, 10:36:21, W3SVC4, DC1DIIS01, x.x.x.x, 0, 145, 0, 500, 87, GET, /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe , /c+dir, 63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET, /scripts/..Á ../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:28, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET, /scripts/winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 97, 604, 404, 3, GET, /winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 98, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:32, W3SVC4, DC1DIIS01, x.x.x.x, 0, 100, 0, 500, 87, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir, 63.101.9.107, -, 9/18/01, 10:36:33, W3SVC4, DC1DIIS01, x.x.x.x, 0, 96, 0, 500, 87, GET, /scripts/..%2f../winnt/system32/cmd.exe, /c+dir, 64.156.252.27, -, 9/18/01, 10:36:42, W3SVC4, DC1DIIS01, x.x.x.x, 156, 41, 13975, 200, 0, GET, /mpf-flow/flow/login.cfm, -, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 72, 604, 404, 3, GET, /scripts/root.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 70, 604, 404, 3, GET, /MSADC/root.exe, /c+dir, 63.101.171.231, -, 9/18/01, 10:37:02, W3SVC4, DC1DIIS01, x.x.x.x, 0, 80, 604, 404, 3, GET,
RE: [LIST ADMIN MESSAGE] NY ATTACK
Title: RE: [LIST ADMIN MESSAGE] NY ATTACK Ditto -Original Message-From: Shannon Speck [mailto:[EMAIL PROTECTED]]Sent: Thursday, September 13, 2001 2:21 PMTo: NT System Admin IssuesSubject: RE: [LIST ADMIN MESSAGE] NY ATTACK That's pretty funny. I am a lurker. I have enjoyed reading everyone's views on this tragic event. I think it is healthy to air your thoughts and get feedback from so many diverse opinions. Thanks to all for all of the great advice/info I have received from this group. SS -Original Message- From: Martin Blackstone [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 13, 2001 2:08 PM To: NT System Admin Issues Subject: RE: [LIST ADMIN MESSAGE] NY ATTACK I guess the lurkers are getting mad -Original Message- From: John Hornbuckle [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 13, 2001 12:05 PM To: NT System Admin Issues Subject: RE: [LIST ADMIN MESSAGE] NY ATTACK Did you miss it when this was addressed on Tuesday, the day the world changed? As life gets back underway, the list has been getting back on topic. There are still some off-topic threads going on, but I personally don't have a problem with it at this point. I feel confident that they'll continue to taper off, and by Monday I would imagine that things will be fairly well back to normal on the list. John Hornbuckle Network Manager Taylor County School District 318 North Clark Street Perry, FL 32347 -Original Message- From: Wil Willis [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 13, 2001 2:52 PM To: NT System Admin Issues Subject: Re: [LIST ADMIN MESSAGE] NY ATTACK why is it ok to have non technical discussions in this list? I don't think so. wil http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: RUMORS CONCERNING THE PRICE OF GAS?
A realist would figure out that it takes a full time effort to get people to boycott anything. People will put up with a lot for convienence, even being ripped off... -Original Message- From: John Hornbuckle [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 12, 2001 10:13 AM To: NT System Admin Issues Subject: RE: RUMORS CONCERNING THE PRICE OF GAS? I think some conservatives would say that it's not the government's position to tell a vendor what he can or can't charge for his products or services. If a vendor chooses to charge obscene rates, he should have the freedom to do so. By the same token, consumers have the freedom to never spend a single penny with that vendor again--thus driving him out of business as punishment for his foolish pricing move. A conservative might argue that we can protect ourselves in this situation by voting with our wallets, and that we don't need government to step in and do it for us. John Hornbuckle Network Manager Taylor County School District 318 North Clark Street Perry, FL 32347 -Original Message- From: Richard McClary [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 12, 2001 10:35 AM To: NT System Admin Issues Subject: RE: RUMORS CONCERNING THE PRICE OF GAS? But the message of Compassionate Conservatism is supposed to let these station owners do that... At 09:15 AM 9/12/2001 -0500, you wrote: Darn right they are! -Original Message- I hope you guys in the Bloomington? Peoria area remember which gas stations were gouging when things go back to normal. Those people are the enemy too! http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Attack and Gas Prices
A guy in our office (little rock, AR) got a call from a friend who owns a gas station, saying that Texaco HQ had sent out messages to prepare for a price change to take effect as early as this afternoon, and to expect the price to be at least double current. 20 min later (10 min ago) our secretary gets a call from her husband reporting that gas lines are around the corner at over 7 stations he's tried to stop at, 2 stations had already posted no gas left signs and that the avg price he's seen so far is $5 per gallon. -Original Message- From: Chris Bodnar [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 11, 2001 3:14 PM To: NT System Admin Issues Subject: RE: Attack and Gas Prices What is the source of this rumor? Chris Bodnar The Lehigh Group 610-966-9702 X:134 -Original Message- From: David James [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 11, 2001 4:11 PM To: NT System Admin Issues Subject: Attack and Gas Prices Can anyone confirm that gas prices are going up around the country? Supposedly it's around $6.00 a gallon already in some places... http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: HP Jetadmin utility
Title: HP Jetadmin utility That method will blow out the whole config, and return the jet direct to factory settings. I'd do a test print (push the test button for about 3 sec), so you have a record of the settings (ip assigned etc..) before doing it. After you plug it back in you have to keep the test button down for a good 10-15sec to get the reset... -Original Message-From: Eric Peeters [mailto:[EMAIL PROTECTED]]Sent: Thursday, August 23, 2001 7:49 AMTo: NT System Admin IssuesSubject: RE: HP Jetadmin utility Does it reset just the password or the whole config ? Eric Peeters Network Administrator TexLoc Ltd -Original Message-From: T. Bradley Dean [mailto:[EMAIL PROTECTED]]Sent: Wednesday, August 22, 2001 4:56 PMTo: NT System Admin IssuesSubject: RE: HP Jetadmin utility I know how to reset the password on the JetDirect Servers, does that help? Unplug it, hold down the test button, plug it back in. ~Brad -Original Message-From: Eric Peeters [mailto:[EMAIL PROTECTED]]Sent: Wednesday, August 22, 2001 2:13 PMTo: NT System Admin IssuesSubject: HP Jetadmin utility Anyone knows how to crack the password for the HP JetAdmin utility ? The guy who was here before me left without writing it down somewhere, apparently. Thanks, Eric Peeters Network Administrator TexLoc Ltd http://www.sunbelt-software.com/ntsysadmin_list_charter.htmhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htmhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: IIS stopping without reason
Title: Message Wasn't there an article about how, even if you were fully patched against Code Red, that the mere act of an infected box attacking some IIS servers could cause that server to lock up. The victum wouldn't get infected, but the attempted attack would cause something to lock. I've read so many Code Red related new articles that I can't remember the reference... -Original Message-From: Erik Sojka [mailto:[EMAIL PROTECTED]]Sent: Monday, August 20, 2001 3:53 PMTo: NT System Admin IssuesSubject: RE: IIS stopping without reason Fmuuh? I'll ask again. It's possible that another internal machine is infected and is reinfecting the box in question. Check your IIS logs for any entries that were logged at or before the times the boxes rebooted. Or any log entries that might be CodeRed-related. -Original Message-From: Eric Peeters [mailto:[EMAIL PROTECTED]] Sent: Monday, August 20, 2001 4:32 PMTo: NT System Admin IssuesSubject: RE: IIS stopping without reason No, it's a perfectly normal boot, no red flag at all. All other servers are at least similarly protected as this one, or as badly, if you want to argue that point... Eric Peeters Network Administrator TexLoc Ltd -Original Message-From: Erik Sojka [mailto:[EMAIL PROTECTED]]Sent: Monday, August 20, 2001 3:25 PMTo: NT System Admin IssuesSubject: RE: IIS stopping without reason Perhaps another internal box is infected. Is there anything from the IIS logs from the times when the box goes belly up? -Original Message-From: Eric Peeters [mailto:[EMAIL PROTECTED]] Sent: Monday, August 20, 2001 4:24 PMTo: NT System Admin IssuesSubject: RE: IIS stopping without reason It can't be Code Red... Until that machine actually goes live, port 80 is blocked to outside traffic (and I am toying with the idea of not using port 80 when it goes live anyways), besides the Index Server service is disabled. Not patched (not my choice, people higher up make decisions I can't argue with) doesn't mean totally abandonned. I update the McAfee virus scan definition list whenever a new comes out, I have GroupShield running on Exchange (updated just as lovingly), I ran three all-files virus checks, on top of the on-access scan, since having this problem, I've rebooted twice (which should have taken care of Code Red if it had been an issue) and I've also ran the Code Red scanner, all to no avail. Eric Peeters Network Administrator TexLoc Ltd -Original Message-From: Kevin Lundy [mailto:[EMAIL PROTECTED]]Sent: Monday, August 20, 2001 3:06 PMTo: NT System Admin IssuesSubject: RE: IIS stopping without reason The "no patch" is the clue. My betting money is on Code Red - you have heard the news the past month? -Original Message-From: Eric Peeters [mailto:[EMAIL PROTECTED]]Sent: Monday, August 20, 2001 4:09 PMTo: NT System Admin IssuesSubject: IIS stopping without reason Hello, My IIS4 server has been behaving strangely for the past four days. It is not a mission-critical unit (yet) as it runs only the users' default home page when they start IE though it was supposed to go live in a week as the IIS for OWA. On to the problem... All IIS services (NNTP, FTP, HTTP) are stopped. I click on one of them at random and hit Start. Nothing happens. I click Start again after a few seconds. The service in question will start and function normally, however anywhere from 5 to 15 minutes later, it'll stop again. There is no message in the log file other than a notice in the Security log that the IIS account logged in and out at start/stop. Besides IIS, that box is running Win NT 4 SP6a Server (no patch) and Exchange 5.5 SP1 (no patch) and it acts as the BDC. I've roamed through the Microsoft KB (not easy, what keywords do you use to describe this when there's no message in the log) to no avail. Anyone out there with a suggestion ? Eric Peeters Network Administrator TexLoc Ltd http://www.sunbelt-software.com/ntsysadmin_list_charter.htmhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htmhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htmhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htmhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htmhttp://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Code Red Rant
Burn the patches to a CD on a workstation. I keep a cd or two full of patches and drivers for building/rebuilding workstations/servers. Nothing like needing to install a network driver, but the driver is on the network -Original Message- From: Al Lilianstrom [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 23, 2001 9:33 AM To: NT System Admin Issues Subject: Re: Code Red Rant [EMAIL PROTECTED] wrote: Kevin, read my post: In my situation, I had to put the server online to get access to the patches. Maybe MS should be mailing these services packs out the way AOL sends out free access promo CD's G. --Charles True - but turning off the IIS and Index Server services before going on the public net would have prevented the hack. al Don't take this the wrong way, but why was your server on a public network before it was ready? -Original Message- From: Luke Brumbaugh [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 23, 2001 9:48 AM To: NT System Admin Issues Subject: OT:Code Red Rant Last night I am building a test box for 2000 AD. I had to format a 2nd drive to load AD and stuff. It was going to take a while so I left and went home. When I got in this morning, I had messages from other people saying that they had got the code red. I hadn't even got to the updates yet. What a pain! So now I am rebuilding. Will other people please fix this. It is such a pain, our logs are filled with hundreds of ip addresses trying to infect us. We got spam abuse, why can't we have a place that puts people's ip in for not fixing their virus problems! Luke L. Brumbaugh System Administrator,MCSE Ultryx Corporation mailto:[EMAIL PROTECTED] Enterprise Channel Management Software for Manufacturers Visit us at http://www.ultryx.com http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm -- Al Lilianstrom CD/OSS/CSI [EMAIL PROTECTED] http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: A disk to format NTFS drives?
I don't know of any utilities like you're talking about. I would suggest that you go ahead and kill the partitions using a dos disk (delete non dos partition usually does the trick), then format it with fat, and run scandisk or another utility. Then try again with the W2k/ntfs install. -Original Message- From: Derrenbacker, L. Jonathan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 14, 2001 1:04 PM To: NT System Admin Issues Subject: RE: A disk to format NTFS drives? I need to be able to run scandisk on it. Theres a bad sector and windows2000 wont install. Its alreally formatted at ntfs. When I go to reformat it using the cd or setup disks it fails. -Original Message- From: Andrew Baker [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 14, 2001 12:36 PM To: NT System Admin Issues Subject: RE: A disk to format NTFS drives? Why not boot from CD? Partition Magic can format NTFS drives, although I have never had any luck with that feature. - ASB -Original Message- From: Derrenbacker, L. Jonathan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 14, 2001 10:19 AM To: NT System Admin Issues Subject: A disk to format NTFS drives? Is there a disk like the old 98 boot disk that can fdisk, format, and scandisk a ntfs drive? I hate having to wait 30 minutes to run through the 4 windows2000 boot disks just to format a drive. http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
