Guys,
Is it possible to make the IIS application itself run with as little as
possible privs on the windows box itself? Its to my understanding that it
runs with system privs...
Can this be changed some how? Or is it essential?
Regards
On Fri, 2002-11-01 at 16:29, Chris Eidem wrote:
[...]
What I've tested:
- Anyone with our cert can reach the site with certs ignored or
accepted, no surprise.
- Anyone with our cert can reach the site with client cert mapping not
enabled. Slightly surprising, as I would think that it
not working at all at
times after I installed ZA
- -Original Message-
From: Sarbjit Singh Gill [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 25, 2002 5:44 AM
To: [EMAIL PROTECTED]
Subject: RE: IIS listens to port 80 on 0.0.0.0
Problem solved.
Initially I was using Zone Alarm. I
I'd agree on that !
-Original Message-
From: Craig Humphrey [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 26, 2002 8:43 AM
To: '[EMAIL PROTECTED]'
Cc: [EMAIL PROTECTED]
Subject: RE: IIS listens to port 80 on 0.0.0.0
Odd. I had the same problem with HTTPS (IIS was listening
-Original Message-
From: Sarbjit Singh Gill [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 25 September 2002 2:51 PM
To: Craig Humphrey
Cc: [EMAIL PROTECTED]
Subject: RE: IIS listens to port 80 on 0.0.0.0
Tried that KB article already. Does not work. I just need the
IIS service
is configured to. BUT that is not the case.
Accessing the IIS from a remote machines gives a similar result.
Please advice.
Gill
-Original Message-
From: H C [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 25, 2002 2:56 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: re: IIS
Problem solved.
Initially I was using Zone Alarm. I created the trusted zone and created
host in the trusted zone. The trusted host was 127.0.0.1. Nothing seemed to
work. Changing IP to listen to port 80 also did not change the 0.0.0.0
mapping to 80.
I finally shut down zone alarm. started
]
Subject: RE: IIS listens to port 80 on 0.0.0.0
It's a feature of IIS5. By default it listens on port 80 on all available
IP addresses (0.0.0.0).
This can be fixed:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q238131;
Hope that helps.
-Original Message-
From: Sarbjit Singh
Pearson, Andrew wrote:
Hi all,
I have a small problem with my network, i wondered if anyone has any suggestions.
The problem lies with my IIS 5.0 server which is sitting behind a SmoothWall Firewall
box.
When I FTP to the server while on the inside of the network, I get a connection. And
when
They look like unicode + codered and nimda attacks.
Regards,
-
Muhammad Faisal Rauf Danka
Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
voice: 92-021-111-GEMNET
Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org
Hello all and forgive my ignorance in this area.
Hello
Below is a snippet from the logs. Can anyone tell by
looking at it:
1. What type of vulnerabilities were they looking for?
look downward
2. Does the fact the it says Rejected by urlscan imply
that URLScan from M$
is
1) This is a code red v2 infection attempt.
Unfortunately web server admins are having to class these as just normal
background traffic. Please people - MAKE SURE YOU ARE PATCHED!
Looking for holes left by CR v1
GET /Rejected-By-UrlScan
~/scripts/root.exe 404 123 -
u can use the tool ' IIS-Banner-Edit.zip'
by http://www.nstalker.com/
cheers
- Original Message -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, February 28, 2002 12:02 AM
Subject: IIS version number?
Can anyone tell me if their is a way to hide the IIS
Get IISLockdown from Microsoft. The URLscan tool will allow you to specify
whatever text you want to identification (or none at all).
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 27, 2002 3:02 PM
To: [EMAIL PROTECTED]
Subject: IIS
I have found similar entries in my apache access logs.
Someone must be running a tool against our site not
knowing if we actually run a Microsoft product.
We know better than that.
- Chris Payne
On Tue, 26 Feb 2002 15:51:44 -0500, GP wrote:
Help, I recently found this on my IIS server
Your best idea when posting to this list is to santize the logs. If you
feel funny about posting your IP sir, simply take out the address. A quick
script with GREP or PERL would suffice. ;)
Buffer Overflow in /dev/stomach due to vodka.o!
From: Jim Grossl [EMAIL PROTECTED]
To: [EMAIL
Hello Jim,
these traces look like a worm called nimda which appeared last year.
Here is a sample trace:
2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /scripts/root.exe 404 820 72 80
HTTP/1.0 - -
2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /MSADC/root.exe 404 820 70 80
HTTP/1.0 - -
2001-09-19 00:00:00
PROTECTED]]
Sent: Wednesday, January 16, 2002 5:30 PM
To: 'Todd Williamson'; [EMAIL PROTECTED]
Subject: RE: IIS log files, can I have your take on these attacks?
Hi Todd, the machine is patched. I am not however running
the URL Scan filter. But the server is issuing 400 level
error messages, and I cannot
]]
Sent: Wednesday, January 16, 2002 5:08 PM
To: Jim Grossl; [EMAIL PROTECTED]
Subject: Re: IIS log files, can I have your take on these attacks?
Your best idea when posting to this list is to santize the logs. If you
feel funny about posting your IP sir, simply take out the address. A quick
script
security
patches (all patches period for that matter, I'm paranoid).
Jim Grossl
Lee Pesky Learning Center
Boise, Idaho USA
-Original Message-
From: Andrew Blevins [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 16, 2002 11:14 AM
To: Jim Grossl
Subject: RE: IIS log files, can I have
Jim,
I see the same log entries all of the time, on most of
my web servers. It is the scanning stages of a Nimda
or Code Red attacks. If you have Microsoft's URL Scan filter
installed, and your IIS server patched (MS has a patch to guard
against folder traversal) you shouldn't have too
much to
, January 16, 2002 11:35 AM
To: Jim Grossl
Subject: RE: IIS log files, can I have your take on these attacks?
yeah...either nimda or code red you can tell from the MSADC and also see
the buffer overflow %5c
so the question is did you patch your server. When you go to MS security and
find the info
Center
Boise, Idaho USA
-Original Message-
From: Todd Williamson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 16, 2002 11:24 AM
To: Jim Grossl; [EMAIL PROTECTED]
Subject: RE: IIS log files, can I have your take on these attacks?
Jim,
I see the same log entries all of the time
and
error.
-Open source nut
-Original Message-
From: Andrew Blevins [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 09, 2002 11:20 AM
To: 'irado furioso com tudo'; Hornat, Charles
Cc: 'Baba Bogdan'; [EMAIL PROTECTED]
Subject:RE: IIS
Why is it automatically easier
Hi,
Apache has been around longer and resides on systems that
are geek friendly. considering the number of installations,
the time it has been around, and that Apache is on systems
that geeks love; does it not disturb you that there are
still bugs? Especially considering how the open source
just my opinion:
a) there are lots more apaches than IIS
More Sioux than Apaches also. (j/k)
Apache has been around longer and resides on systems that
are geek friendly. considering the number of installations,
the time it has been around, and that Apache is on systems
that geeks love; does
Well with open source you can actually verify the security
depending on how diligent you wish to be, with closed source you must rely
on the vendors due diligence. Open source can be patched by you in case of
critical emergencies ( I have had experience with this option so it is
a reality
To: Andrew Blevins
Cc: 'irado furioso com tudo'; Hornat, Charles; 'Baba Bogdan';
[EMAIL PROTECTED]
Subject: RE: IIS
Well with open source you can actually verify the security
depending on how diligent you wish to be, with closed source you must rely
on the vendors due diligence. Open source can
?
-Original Message-
From: irado furioso com tudo [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 08, 2002 3:36 AM
To: Hornat, Charles
Cc: 'Baba Bogdan'; [EMAIL PROTECTED]
Subject: Re: IIS
just my opinion:
a) there are lots more apaches than IIS
b) statistics is the art to lie.. (forgot the author
just my opinion:
a) there are lots more apaches than IIS
b) statistics is the art to lie.. (forgot the author)
c) it is easier to harden a open system than a proprietary.
c-1) And I donot know any other way to harden a IIS than obscure
patches.. which closes a lot of holes just opening new
Can you beat them around the head and shoulders stressing this? Maybe
add with competent operators.
Patrick S. Harper wrote:
[snip]
A system is only as secure as the sysadmin is competent and dedicated.
And sometimes they still get hacked.
[snip]
--
James W. Meritt CISSP, CISA
Booz |
with the
code.
Regards, Steve
-Original Message-
From: Hornat, Charles [mailto:[EMAIL PROTECTED]]
Sent: 07 January 2002 19:03
To: 'Baba Bogdan'; [EMAIL PROTECTED]
Subject: RE: IIS
I recently read a statistic that said apache is hacked more than IIS web
servers. and I have also seen statistics go
IMHO, it's easier and more reliable to edit a .conf or .ini file than
point-and-click my way through a GUI. I deal almost exclusively with
WinNT/2K and IIS, and have to make and follow checklists and scripts
to make certain I've done everything in the proper order. The process
is time consuming
If you can write the batch files and edit the conf files then there is
no problem. I am talking about companies and individuals that slap a
Linux box up as a webserver and think there safe just because they are
using Linux. I had a client, a local ISP that did that. Every box they
had was
Besides this, Does it really matter what web server you
choose?
Yes it does.
I have worked with many and would answer this with,
the system is as secure as the administrator of that system
is knowledgeable. I know administrators who can secure an
IIS server and others who can secure
I recently read a statistic that said apache is hacked more than IIS web servers. and
I have also seen statistics go the other way. I did a quick search in google to try
and see if I could find a solid believable statistic, and was unsuccessful. I found
many individuals stating facts
Out of many other reasons, lack of performances is
sometimes the major one. Espacially with static pages
IIS outperforms Apache. Take a look at the latest
benchmarks at
http://www.pcmag.com/article/0,2997,s%253D1611%2526a%253D19774,00.asp
Just don't trust (any) out of box configuration, do
If someone cannot securely configure IIS with its GUI interface, how do
you expect them to secure a daemon that uses .conf files? Bad
administration is bad administration. I contact at least 5 companies a
week on behalf of my clients about infected or hacked systems that are
launching attacks
-Original Message-
From: Matt Hemingway [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 19, 2001 11:07 AM
To: Ryan Ratkiewicz; [EMAIL PROTECTED]
Subject: Re: IIS Hack Attempt
Code Red. Code Blue. Nimda. Take your pick.
-Matt
On Thursday 15 November 2001 10:18, Ryan Ratkiewicz wrote
Nimda scan. Just make sure your box is patched.
Andrew Blevins
-Original Message-
From: Ryan Ratkiewicz [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 15, 2001 10:18 AM
To: [EMAIL PROTECTED]
Subject: IIS Hack Attempt
Can someone help me decipher this?
11:30:48 207.217.205.149
Code Red. Code Blue. Nimda. Take your pick.
-Matt
On Thursday 15 November 2001 10:18, Ryan Ratkiewicz wrote:
Can someone help me decipher this?
11:30:48 207.217.205.149 GET /scripts/root.exe 404
11:30:48 207.217.205.149 GET /MSADC/root.exe 404
11:30:49 207.217.205.149 GET
That's Nimda:
http://www.cert.org/advisories/CA-2001-26.html
-Jeff
Ryan Ratkiewicz wrote:
Can someone help me decipher this?
11:30:48 207.217.205.149 GET /scripts/root.exe 404
11:30:48 207.217.205.149 GET /MSADC/root.exe 404
11:30:49 207.217.205.149 GET /c/winnt/system32/cmd.exe 404
This is the Nimda virus.
Andrew H. Turner [EMAIL PROTECTED]
703.284.4771 Pager: 877.580.7432
BBN Technologies, a Verizon company
1300 N. 17th Street, Suite 1200
Arlington, Virginia 22209
-Original Message-
From: Ryan Ratkiewicz [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 15,
I would say code red word because of all the attempts to get to cmd.exe
Best practices entail applying patches and keeping the web root off the
system partition. You can find a ton of info on this on SF's Focus-MS
section and on MS's website at security.
Cheers,
Leon
-Original
Is there any such utility to strip the headers from Microsoft's SMTP Servers
as well?
-Original Message-
From: Rivera Alonso, David [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 17, 2001 5:42 AM
To: 'Stuart Fraser'; [EMAIL PROTECTED]
Subject: RE: IIS Header Info
45 matches
Mail list logo
