Re: CODE RED II, help....

From: Jeff Cochran (jcochran.nospam_at_naplesgov.com)
Date: 04/30/03 

Date: Wed, 30 Apr 2003 14:17:50 GMT

On Tue, 29 Apr 2003 18:38:47 -0700, "peter picataggio"
<p_picataggio@hotmail.com> wrote:

>I am running Windows 2000 and IIS 5.0, all the latest
>patches and I run a software Firewall, BlackICE (the
>latest
>version), and I have a SOnicWall Firewall as well. I also
>have the latest Norton Anti-Virus running on the machine.

I'd be tempted to use the SonicWall to block everything and forget
Black Ice, but that's another discussion...

>At minimum I 40 - 50 attempted CODE RED II attacks on my
>server every day. I also get hundreds of Port probes and a
>bunch of other attempted attacks.

Sounds normal. :)

>I use NAT on my SOnic Firewall and have Mapped Port 80 to
>one of my internal addresses.

Also normal.

>Does anyone have anyclue on how I can put a stop to this
>once and for all? Or is this just the nature of the beast
>and I need to deal with it?

Drive around and kill everyone who runs a system sending you Code Red
attacks...?

>Everyday my Blackice Firewall will be red and have
>hundreds
>of attacks listed, mainly Code Red II, always from
>diffrent
>addresses but I feel like I am being picked on, not
>really,
>but I hope you get my point.

Stop logging these attacks in Black Ice, they're not helping.

>Then to top it off, Black ICE will store everything inside
>of its logs, so now my Virus Software get triggered and
>puts the Log and Evidence files into the Quarinitne
>section.

Same solution.

>Is there anything I can do where when it see's a CODE RED
>attack it just plain and simply blocks that IP or drops
>there connection or something.

Block the IP if you want, but you could be chasing them for quite a
while. Use URLScan to drop the requests at IIS, and filter those out
of your logs for your analysis software.

Basically, ignore the attacks if you know they won't be successful.

Jeff

Relevant Pages

  • Re: Networking over mains cables
    ... Just because a Router has NAT does NOT stop incoming traffic ... A NAT firewall will NOT stop Trojans etc embedded in web pages etc.. ... Not all malware/trojans etc disables software firewall, ... current series of attacks now comes in hidden payloads in webpages. ...
    (comp.sys.acorn.networking)
  • Code Red honeypot + SMTP logger/alerter
    ... logs via SMTP to the email addressof your ... attacks per minute on a single IP address. ... ARIS email notification format ( ... then uncomment the ARIS recipient line in the source code). ...
    (Incidents)
  • Re: Newbie needs more help.. almost hacked, 3 simple questions
    ... The attack I belive came from the web interface to sign into the SBS. ... to simply put the attacks look like that came from someone trying to ... What ports are open? ... Leave the logs.. ...
    (microsoft.public.windows.server.sbs)
  • Re: Programmatically ban IPs within IIS 5.0 and W2k
    ... check the logs for detected attacks, report them to the ... detects in the IIS ... >logs should already be blocked. ...
    (microsoft.public.inetserver.iis.security)
  • Re: unsuccessful hacking attempt at my machine
    ... Since I saw very similar logs at my friend's ... I see these attacks almost everyday on every machine that has sshd ... The script is designed to run unattended, ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
    (comp.os.linux.security)