[thelist] code red making a mess of logs

Chris W. Parker cparker at swatgear.com
Thu Dec 19 11:24:01 CST 2002

> -----Original Message-----
> From: Ken Schaefer [mailto:ken at adOpenStatic.com]
> Sent: Wednesday, December 18, 2002 4:21 PM
> To: thelist at lists.evolt.org
> Subject: Re: [thelist] code red making a mess of logs
> a) Use a firewall

how would using a firewall help? aren't these attacks directed at port
80? if so, a firewall wouldn't do much since he needs to keep port 80
open for his legit website. let me know if i'm wrong.

> -or-
> b) If you're using IIS, use the IIS Lockdown tool to install
> URLScan - this
> is an ISAPI filter which will block these types of requests
> (and log them to
> it's own logfile)

you may already know this ken but i thought i'd mention it to everyone
else. urlscan does not require that iis lockdown be installed. it can be
used alone. another thing is that although urlscan does send the real
requests to a different log, it still logs the attempts in the real
logs. the only difference is that they do not contain any information. i
don't remember exactly what they look like in the logs, but they look
something like this...

<date_time> 404 - - - - - - - - - -

anyways, just thought i'd mention it.

> -or-
> c) Use a host-header. The attack is directed at the IP
> address. If there's
> no website listening on that IP address alone, nothing will
> get logged.

could you explain this in a little more detail? i'm not sure how this
would be setup. (not because i don't think it would work, just because i
don't know exactly what you mean.)


More information about the thelist mailing list