"Mark Palmer, CCNA" wrote:
>
> I have been logging these attempts on our Outlook Web Access server.
>
> I then attempt a WHOIS lookup on the source ip. I then send a nicely worded
> email to any and all contacts that show up on the WHOIS search.
>
> I have had some "success" with the contacts
t IMHO worth it.
Cheers,
Mark
-Original Message-
From: Matt Hemingway [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 19, 2001 11:07 AM
To: Ryan Ratkiewicz; [EMAIL PROTECTED]
Subject: Re: IIS Hack Attempt
Code Red. Code Blue. Nimda. Take your pick.
-Matt
On Thursday 15 Novemb
Code Red. Code Blue. Nimda. Take your pick.
-Matt
On Thursday 15 November 2001 10:18, Ryan Ratkiewicz wrote:
> Can someone help me decipher this?
>
> 11:30:48 207.217.205.149 GET /scripts/root.exe 404
> 11:30:48 207.217.205.149 GET /MSADC/root.exe 404
> 11:30:49 207.217.205.149 GET /c/winnt
Nimda scan. Just make sure your box is patched.
Andrew Blevins
-Original Message-
From: Ryan Ratkiewicz [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 15, 2001 10:18 AM
To: [EMAIL PROTECTED]
Subject: IIS Hack Attempt
Can someone help me decipher this?
11:30:48 207.217.205.149
See http://www.incidents.org/react/nimda.pdf
-Original Message-
From: Ryan Ratkiewicz [mailto:[EMAIL PROTECTED]]
Sent: 15 November 2001 18:18
To: [EMAIL PROTECTED]
Subject: IIS Hack Attempt
Can someone help me decipher this?
11:30:48 207.217.205.149 GET /scripts/root.exe 404
11:30:48
I would say code red word because of all the attempts to get to cmd.exe
Best practices entail applying patches and keeping the web root off the
system partition. You can find a ton of info on this on SF's Focus-MS
section and on MS's website at security.
Cheers,
Leon
-Original Message-
This is the Nimda virus.
Andrew H. Turner <[EMAIL PROTECTED]>
703.284.4771 Pager: 877.580.7432
BBN Technologies, a Verizon company
1300 N. 17th Street, Suite 1200
Arlington, Virginia 22209
-Original Message-
From: Ryan Ratkiewicz [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 15, 2
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
These are things you should not worry about. Most webserver admins
see them daily and make most of the error logs. Just a host scanning
for known IIS bugs or an infected (nimda?) webserver trying to affect
others. If you applied the security patches
Hi if you have a cisco router you can use the nbar function
http://www.cisco.com/warp/public/732/Tech/qos/nbar/
Also . who knows to do that from IIS 5 ?
Mensaje citado por: Ryan Ratkiewicz <[EMAIL PROTECTED]>:
> Can someone help me decipher this?
>
> 11:30:48 207.217.205.149 GET /scri
That's Nimda:
http://www.cert.org/advisories/CA-2001-26.html
-Jeff
Ryan Ratkiewicz wrote:
>
> Can someone help me decipher this?
>
> 11:30:48 207.217.205.149 GET /scripts/root.exe 404
> 11:30:48 207.217.205.149 GET /MSADC/root.exe 404
> 11:30:49 207.217.205.149 GET /c/winnt/system32/cmd.exe 4
10 matches
Mail list logo