[thelist] code red making a mess of logs

Ken Schaefer ken at adOpenStatic.com
Wed Dec 18 18:22:00 CST 2002

a) Use a firewall
b) If you're using IIS, use the IIS Lockdown tool to install URLScan - this
is an ISAPI filter which will block these types of requests (and log them to
it's own logfile)
c) Use a host-header. The attack is directed at the IP address. If there's
no website listening on that IP address alone, nothing will get logged.


From: "Aleem" <aleem.bawany at utsc.utoronto.ca>
Subject: [thelist] code red making a mess of logs

: well, this has been going on for a while and by now i've gotten sick of
: my log files are a mess with entries like the following:
: - - [18/Dec/2002:10:11:09 +0500] "GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 298 "-"
: - - [18/Dec/2002:13:11:59 +0500] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 276 "-" "-"
: - - [18/Dec/2002:08:42:05 +0500] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 274 "-" "-"
: and my error log:
: [Wed Dec 18 11:46:26 2002] [error] [client] File does not
exist: e:/www/public/scripts/root.exe
: ...
: right now what I'm doing it parsing my logs (using awstats) and
: ignoring those entries but i'd like for a way to block them out of my
: log completely. any suggestions? how do you deal with it?


More information about the thelist mailing list