[thelist] code red making a mess of logs

Ken Schaefer ken at adOpenStatic.com
Mon Jan 20 00:11:02 CST 2003

Sorry for the late reply on this, I've been on holidays :-)

From: "Chris W. Parker" <cparker at swatgear.com>
Subject: RE: [thelist] code red making a mess of logs

: >
: > a) Use a firewall
: how would using a firewall help? aren't these attacks directed at port
: 80? if so, a firewall wouldn't do much since he needs to keep port 80
: open for his legit website. let me know if i'm wrong.


How about using a firewall that supports an IDS (such as Cisco products).

: you may already know this ken but i thought i'd mention it to everyone
: else. urlscan does not require that iis lockdown be installed.

True. But the IISLockDown tool allows you to choose a URLScan config
template based on what your server is supposed to be doing. So, if you're
running Outlook Web Access you'd choose the OWA template, as opposed to the
Web server template. From memory, URLScan didn't provide that (well, it
might now).

: used alone. another thing is that although urlscan does send the real
: requests to a different log, it still logs the attempts in the real
: logs. the only difference is that they do not contain any information. i
: don't remember exactly what they look like in the logs, but they look
: something like this...
: <date_time> 404 - - - - - - - - - -

I thought that could be suppressed using UseFastPathReject=1

: > -or-
: > c) Use a host-header. The attack is directed at the IP
: > address. If there's
: > no website listening on that IP address alone, nothing will
: > get logged.
: could you explain this in a little more detail? i'm not sure how this
: would be setup. (not because i don't think it would work, just because i
: don't know exactly what you mean.)

In the IIS MMC Snapin, edit the properties for the website getting the Code
Red/Nimda/whatever requests so that instead of:

IP Address | Port | Host Header
xxx.xxx.xxx.xxx | 80 | <none>

(which means that the website will respond to a request on xxx.xxx.xxx.xxx),
you have:

xxx.xxx.xxx.xxx | 80 | www.yoursite.com
xxx.xxx.xxx.xxx | 80 | yoursite.com
xxx.xxx.xxx.xxx | 80 | whateverelse.yoursite.com

which means that anyone getting to your site using http://www.yoursite.com
(and a HTTP 1.1 capable client) will be able to make a connection. Automated
attacks (which can't glean URLs from the DNS) won't be able to make a
connection, because the server will say "no site listening on


More information about the thelist mailing list