Hello Craig. My comments are inline below. -----Original Message----- From: Craig Brauckmiller Sent: Sunday, May 12, 2002 17:40
1. What type of vulnerabilities were they looking for? I would agree that it is code red, nimda, or something similar. They're looking for command level access. 2. Does the fact the it says <Rejected by urlscan> imply that URLScan from M$ is loaded. I didn't do this myself...thats why I'm curious. Possibly, but I don't use MS products at home and I'm not involved in IIS at work. It's possible that a form of urlscan was installed as part of IIS. 3. What is the best course of action in regards to the individual attempting these activities? I traced the IP back to RoadRunner. Should I call their customer service and complain or am I just pissing in the wind? You will see more immediate results of you locate a good wind. But RoadRunner and most other ISPs will make an effort to uphold their part of their TOS. They might not contact you directly or immediately. 4. I did run the IIS Lockdown wizard. Is that sufficient for most types of attacks? What other tools should I consider running? Sorry, I don't know IIS. But a wizard is a wizard: Was there an indication that something needed changing or improving? Did you make any changes the wizard offered? And MS is MS: Did you ensure you have all the latest patches and fixes for IIS installed? This should be an ongoing effort to ensure you're not behind. Good Luck, Larry
