[thelist] code red making a mess of logs

Ken Schaefer ken at adOpenStatic.com
Wed Dec 18 18:22:00 CST 2002


a) Use a firewall
-or-
b) If you're using IIS, use the IIS Lockdown tool to install URLScan - this
is an ISAPI filter which will block these types of requests (and log them to
it's own logfile)
-or-
c) Use a host-header. The attack is directed at the IP address. If there's
no website listening on that IP address alone, nothing will get logged.

Cheers
Ken

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "Aleem" <aleem.bawany at utsc.utoronto.ca>
Subject: [thelist] code red making a mess of logs


: well, this has been going on for a while and by now i've gotten sick of
it,
: my log files are a mess with entries like the following:
:
: 24.102.16.10 - - [18/Dec/2002:10:11:09 +0500] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 "-"
"-"
: 24.102.16.10 - - [18/Dec/2002:13:11:59 +0500] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
: 24.102.16.10 - - [18/Dec/2002:08:42:05 +0500] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 274 "-" "-"
:
: and my error log:
: [Wed Dec 18 11:46:26 2002] [error] [client 24.102.16.10] File does not
exist: e:/www/public/scripts/root.exe
: ...
:
: right now what I'm doing it parsing my logs (using awstats) and
: ignoring those entries but i'd like for a way to block them out of my
: log completely. any suggestions? how do you deal with it?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




More information about the thelist mailing list