Re: Repeated Unsuccessful Attacks to OS and ???

From: Geoffrey V. Brown (geoffb@deerfield.com)
Date: 02/13/03 

From: "Geoffrey V. Brown" <geoffb@deerfield.com>
Date: Thu, 13 Feb 2003 11:45:46 -0500

Hi,
It would appear to be a characteristic of an iis exploit. If it is a
virus, there may be information on it here: http://www.viruslibrary.com/

Obviously, patching and locking down the server is the best practice.
Note, of course, that even if your server is locked down and secure, you
will still get hit with these requests. They will do nothing but add
some additional load on your server.

Previously, our servers were getting hit with so many of these that it
actually had an impact on our server performance, since most of our
pages are dynamic, and we had an intelligent 404 trapping system. We
deployed an active defense system, which blocked all of these types of
attacks and exploits.

You have a few options for blocking this sort of thing. A firewall will
work in some cases and will also help you to block "known" attackers
once you identify them.

Applications like SecureIIS, or Active Defense
(http://www.deerfield.com/products/visnetic_activedefense/, our product,
in beta and to be released next week :) ) are extremely effective in
identifying and blocking exploits and invalid requests being sent to the
web server.

Geoff B

Gary wrote:
> We are running IIS 5.0 and we are getting repeated attacks (usually several
> daily) to:
>
> /sumthin
> /default.ida NNNNNNNNNNNNNNNNNNNNNN (very long string)
> /winnt/system32/cmd.exe
> /scripts...
>
> At this point they are all unsuccessful but I fear it is only a matter of
> time before something makes it in. They are usually from a different IP on
> each series of attacks.
>
> What are these attacks and is there ANY way to stop them???
>
> I have been told the only way is to be sure the server is updated and
> properly patched since the requests come in on port 80. Is this true or is
> there a known way to block these attacks? They come in on several of our
> websites.
>
> What are some recommended suggestions on the router or firewall? I would
> appreciate any help...
>
> Gary
>
>

Relevant Pages

  • RE: ARP Spoofing and Routing
    ... It sounds to me like you were only doing one way arp spoofing... ... requests sent out from that server. ... Up to 75% of cyber attacks are launched on shopping carts, ...
    (Pen-Test)
  • Re: IIS still open to hacking even with latest patches...
    ... > server running IIS secure from hackers getting in? ... I'm afraid there is no way to prevent attacks. ... Deploying and mantaining these two security systems can be very time ...
    (microsoft.public.inetserver.iis.security)
  • Re: Info about tuning the IIS and SPS thread settings
    ... I want to dig the role of IIS so that get clear picture so what can be done ... The amount of physical memory, in MBs, immediately available for allocation to a process or for system use on the server. ... trends begin to emerge that equate requests per second with CPU consumption ... SPS requests get routed through the IIS 6.0 as SPS also has its own thread ...
    (microsoft.public.sharepoint.portalserver)
  • Re: Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Bugtraq)
  • RE: VmWare and Pen-test Learning
    ... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)