Re: CODE RED II, help....

From: BB (Bernard_at_3exp.com)
Date: 04/30/03 

Date: Wed, 30 Apr 2003 10:32:58 +0800

Yes, if you notice the pattern of attacks and have
the IP info, just use your firewall to block it.
you can also complaint to authority about this,
or even send a mail to the infected machine owner.
(dig out their network info, or by domain name info)

You can also install urlscan to filter the requests.
and stop IIS from further processing such request. 

-- 
Regards,
Bernard Cheah
http://support.microsoft.com/
"peter picataggio" <p_picataggio@hotmail.com> wrote in message
news:096f01c30eb9$3e9ef7d0$3001280a@phx.gbl...
> I am running Windows 2000 and IIS 5.0, all the latest
> patches and I run a software Firewall, BlackICE (the
> latest
> version), and I have a SOnicWall Firewall as well. I also
> have the latest Norton Anti-Virus running on the machine.
>
> At minimum I 40 - 50 attempted CODE RED II attacks on my
> server every day. I also get hundreds of Port probes and a
> bunch of other attempted attacks.
>
> I use NAT on my SOnic Firewall and have Mapped Port 80 to
> one of my internal addresses.
>
> Does anyone have anyclue on how I can put a stop to this
> once and for all? Or is this just the nature of the beast
> and I need to deal with it?
>
> Everyday my Blackice Firewall will be red and have
> hundreds
> of attacks listed, mainly Code Red II, always from
> diffrent
> addresses but I feel like I am being picked on, not
> really,
> but I hope you get my point.
>
> Then to top it off, Black ICE will store everything inside
> of its logs, so now my Virus Software get triggered and
> puts the Log and Evidence files into the Quarinitne
> section.
>
> Is there anything I can do where when it see's a CODE RED
> attack it just plain and simply blocks that IP or drops
> there connection or something.
>
> Any idea's would be great...
>
> Pete
>

Relevant Pages

  • Re: Hacking to Xp box
    ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • Re: Hacking to Xp box
    ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • RE: Hacking to Xp box
    ... I think there was a misunderstanding in the firewall point: ... Regarding ICMP backdoors, this technique was first use by some skilled guy ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ...
    (Pen-Test)
  • Re: Hacking to Xp box
    ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability ...
    (Pen-Test)
  • Re: Being hacked...
    ... When I check the firewall its self, it shows that they are not open. ... I am using windump and can look at the logs in Ethereal, ... > from by comparing entries in the logs to failed logons to your computers ... > these attacks are coming from. ...
    (microsoft.public.win2000.security)