Re: Help - Port 80 being targeted

From: rooks mahn (rooksmahn@yahoo.com)
Date: 07/09/02 

From: rooksmahn@yahoo.com (rooks mahn)
Date: 8 Jul 2002 17:35:48 -0700

Run URLScan. It's free from Microsoft and works pretty well.

Be careful though. The first time I installed it I screwed up my
virtual site and had to delete it and recreate it again. Luckily it
was only my machine at home and it didn't have anything important,
just a test site. URLScan installs as an ISAPI filter. After
installation you will see it listed. I think you can install it so
that it either applies to one virtual site, or ALL virtual hosts
running on that IIS server. The reason it was screwed up was that I
tried editing the initial ini file for URLScan and must have added a
space or a character that it didn't like. The second time I installed
it I was VERY careful about what I typed and I was able to edit it
without a problem and make the changes I wanted. You should only allow
file extensions you actually use, so it should be a fairly short list!

I still see a lot of entries for Code Red in the URLScan logs. I also
use BlackIce PC version and have a 3COM OfficeConnect Firewall, but as
I have port 80 open firewalls don't do me any good! You need to have
SOME sort of extra protection. I haven't checked out SecureIIS by eEye
yet but I think nowadays we need more of this type of app to keep
people out where ports have to be left open for people to access you
systems.

Good Luck!

RooksMahn-)

"x y" <jamescagney90210@excite.com> wrote in message news:<evOjXp1ICHA.456@cpimsnntpa03>...
> W2k and XP pro has a limit of only 10 concurrent connections with no way to
> expand that, short of upgrading to w2k server or using another webserver
> such as apache.
>
> What you're seeing could possibly be a nimda or code red worm scanning your
> system, or something similar. To find out, check your web logs to see what
> URL if any that IP address is passing. I don't think there's anything you
> can do to 100% guarantee that one computer does not take up all 10 of your
> connections [you could double-check this in the IIS MMC in the section on
> bandwidth throttling and performance], but you can attempt to keep a worm
> from doing this. Here are some things you could try:
>
> - Install IISlockdown from microsoft.com/security or microsoft.com/download
> as it includes URLscan [probably won't help but is a very good idea for
> security]
> - Run blackice in Paranoid mode. I understand that this is the only mode
> that actually blocks all of the incoming requests. Other modes let at least
> the first request through.
> - Follow the security checklist at www.microsoft.com/security for securing
> IIS, especially the parts about deleting unnecessary files. I think some
> IIS worm scans may look for the existence of a certain file, and if that
> file is found, it may send a dozen more URLs / connection requests to your
> server even if it has been patched and is not vulnerable. The first URL or
> first few URLs in an attack as shown in your web logs might be the file that
> the worm is first looking for.
> - check your IIS logs, determine which worm if any is targeting your system,
> then search google.com to find out exactly how the worm begins the scan of
> your server and if there is a way to discourage it from sending dozens of
> URLs to your web server. Detailed analyses of nimda and code red are
> probably at www.cert.org
>
>
> "Nick" <nlel@ecosse.net> wrote in message
> news:ag1cv4$i8qt7$1@ID-77022.news.dfncis.de...
> > Hi;
> >
> > I have a webserver running on Port 80. The system has BlackIce Defender
> > IDS/Firewall and Norton AntiVirus running on it.
> >
> > I also use the dns2go.com client for name resolution.
> >
> > Problem;
> >
> > I use the dns2go.com client connection watcher and spotted this behaviour;
> >
> > I am occasionally getting multiple HTTP connections to port 80 from the
> same
> > ip address on different remote ports. The result of this is error "403.2
> > Access Denied to many users" when someone tries to access my webserver.
> >
> > Sometimes there is 5 connections sometimes 10 but usually from a single ip
> > address on different remote ports. The only thing I can do is block the
> > remote IP address or IP address range and restart the webserver this seems
> > to get rid of them and the webserver is accessible again.
> >
> > What could this be ? I am right in thinking its not normal behaviour (I am
> > using XP Pro IIS with all the latest security updates)
> >
> >

Relevant Pages

  • Re: Help setting up COM port
    ... Did you look in device manager and see if there is a serial pointing device ... At which point it installs the drivers and hands ... over the port, preventing anything else from using the port. ... > port the GPS is connected. ...
    (microsoft.public.windowsxp.general)
  • Re: Configuring Exchange 2003 with Symantec Anti-Virus
    ... Exchange and is probably actually a tad bit better for scanning incoming ... It installs using the avapi and is very nice. ... > and have set up a new Exchange 2003 server. ... > can reconfigure Exchange to receive on antoher port (is changing the the ...
    (microsoft.public.exchange.misc)
  • Re: Re[2]: sendmail/postfix ports question
    ... What was going on with the port is beyond my ... >> The ports version of postfix by default installs all its configuration ... >> can do what I did and instruct postfix through its main.cfg to take the ... However, SendMail would not be installed, ...
    (freebsd-questions)
  • Re: Another complaint of system 32 when starting computer but differen
    ... W32/Agobot-JS is a worm that spreads to remote shares with weak passwords. ... To run on startup the worm installs itself as a service called soundman and ... Delete Value Name= CU1 ... Also delete Value Name= CU2 Same applies to CU2 as CU1. ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: IIS Lockdown
    ... urlscan has been installed by IISLockdown. ... Microsoft Exchange Support ... >usually installs urlscan as an isapi filter. ...
    (microsoft.public.exchange.admin)