[thelist] speaking of security...

Chris W. Parker cparker at swatgear.com
Wed Aug 13 10:45:04 CDT 2003

jsWalter <mailto:jsWalter at torres.ws>
    on Tuesday, August 12, 2003 11:47 PM said:

> Some amateur has been pounding my server for weeks now...
>     GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir

It's most likely other machines that are infected with the nimda and/or
codered worm. I don't know if the web server you are using can utilize
ISAPI dll's like IIS can, but you should look into URLScan from
Microsoft. It's a free utility that will filter out the GET requests
received by the server. It's already got a pretty good default config
file (iirc) so there may not need to be any tweaking on your part.

What this program will do is, before the GET request is even seen by IIS
it will have to go through the URLScan filter. If the request does not
match any of the patterns (can't remember if they are regex or not, I
sort of don't think they are) in the config file it will send the
request to IIS. Conversely if it DOES match a pattern it is logged and
then discarded. The webserver never even knows it happened.



More information about the thelist mailing list