Re: IIS log files, can I have your take on these attacks?

2002-01-18 Thread Bill Walls
Your best idea when posting to this list is to santize the logs. If you feel funny about posting your IP sir, simply take out the address. A quick script with GREP or PERL would suffice. ;) Buffer Overflow in /dev/stomach due to vodka.o! From: Jim Grossl [EMAIL PROTECTED] To: [EMAIL

Re: IIS log files, can I have your take on these attacks?

2002-01-18 Thread Reichert Holger
Hello Jim, these traces look like a worm called nimda which appeared last year. Here is a sample trace: 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /scripts/root.exe 404 820 72 80 HTTP/1.0 - - 2001-09-19 00:00:00 x.x.x.x y.y.y.y GET /MSADC/root.exe 404 820 70 80 HTTP/1.0 - - 2001-09-19 00:00:00

RE: IIS log files, can I have your take on these attacks?

2002-01-18 Thread Todd Williamson
PROTECTED]] Sent: Wednesday, January 16, 2002 5:30 PM To: 'Todd Williamson'; [EMAIL PROTECTED] Subject: RE: IIS log files, can I have your take on these attacks? Hi Todd, the machine is patched. I am not however running the URL Scan filter. But the server is issuing 400 level error messages, and I cannot

RE: IIS log files, can I have your take on these attacks?

2002-01-18 Thread Jim Grossl
]] Sent: Wednesday, January 16, 2002 5:08 PM To: Jim Grossl; [EMAIL PROTECTED] Subject: Re: IIS log files, can I have your take on these attacks? Your best idea when posting to this list is to santize the logs. If you feel funny about posting your IP sir, simply take out the address. A quick script

RE: IIS log files, can I have your take on these attacks?

2002-01-17 Thread Jim Grossl
security patches (all patches period for that matter, I'm paranoid). Jim Grossl Lee Pesky Learning Center Boise, Idaho USA -Original Message- From: Andrew Blevins [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 16, 2002 11:14 AM To: Jim Grossl Subject: RE: IIS log files, can I have

RE: IIS log files, can I have your take on these attacks?

2002-01-17 Thread Todd Williamson
Jim, I see the same log entries all of the time, on most of my web servers. It is the scanning stages of a Nimda or Code Red attacks. If you have Microsoft's URL Scan filter installed, and your IIS server patched (MS has a patch to guard against folder traversal) you shouldn't have too much to

RE: IIS log files, can I have your take on these attacks?

2002-01-17 Thread Jim Grossl
, January 16, 2002 11:35 AM To: Jim Grossl Subject: RE: IIS log files, can I have your take on these attacks? yeah...either nimda or code red you can tell from the MSADC and also see the buffer overflow %5c so the question is did you patch your server. When you go to MS security and find the info

RE: IIS log files, can I have your take on these attacks?

2002-01-17 Thread Jim Grossl
Center Boise, Idaho USA -Original Message- From: Todd Williamson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 16, 2002 11:24 AM To: Jim Grossl; [EMAIL PROTECTED] Subject: RE: IIS log files, can I have your take on these attacks? Jim, I see the same log entries all of the time