Re: CODE RED II, help....

From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 04/30/03 

Date: Wed, 30 Apr 2003 15:52:38 -0400

I don't recommend blocking the Code Red IP addresses.. it's better and
easier to get a secure firewall configuration and more or less leave it as
long as it seems secure. There's nothing you can do to block these code red
requests that you're not already doing... it's a good thing that you're
seeing these in the firewall IMHO.

You do want to really consider installing the free URLScan from
www.microsoft.com/technet/security to further secure IIS if it isn't already
installed. Note also that just patches alone aren't necessarily enough to
secure an IIS server. See the IIS and windows hardening checklists and
information at:

http://securityadmin.info/faq.htm#harden
http://securityadmin.info

I would also recommend the free software from www.mynetwatchman.com or
www.dshield.org which automatically reports hacking attempts to the hacker's
ISP for you.

"peter picataggio" <p_picataggio@hotmail.com> wrote in message
news:096f01c30eb9$3e9ef7d0$3001280a@phx.gbl...
> I am running Windows 2000 and IIS 5.0, all the latest
> patches and I run a software Firewall, BlackICE (the
> latest
> version), and I have a SOnicWall Firewall as well. I also
> have the latest Norton Anti-Virus running on the machine.
>
> At minimum I 40 - 50 attempted CODE RED II attacks on my
> server every day. I also get hundreds of Port probes and a
> bunch of other attempted attacks.
>
> I use NAT on my SOnic Firewall and have Mapped Port 80 to
> one of my internal addresses.
>
> Does anyone have anyclue on how I can put a stop to this
> once and for all? Or is this just the nature of the beast
> and I need to deal with it?
>
> Everyday my Blackice Firewall will be red and have
> hundreds
> of attacks listed, mainly Code Red II, always from
> diffrent
> addresses but I feel like I am being picked on, not
> really,
> but I hope you get my point.
>
> Then to top it off, Black ICE will store everything inside
> of its logs, so now my Virus Software get triggered and
> puts the Log and Evidence files into the Quarinitne
> section.
>
> Is there anything I can do where when it see's a CODE RED
> attack it just plain and simply blocks that IP or drops
> there connection or something.
>
> Any idea's would be great...
>
> Pete
>

Relevant Pages

  • Re: Need advice about hacking and security
    ... All of my email accounts - Hotmail, Yahoo, ... > Outlook also requires a lot of tweaking to secure it. ... In some states, there are laws with teeth, ... > You probably need a firewall to start. ...
    (comp.security.misc)
  • Re: What security package for SBS?
    ... I have a secure Windows network. ... I also have a secure MacMini and on occasion a secure Ubuntu. ... With a business class firewall stripping crap off all incoming traffic and properly implemented security policies in addition to giving your users absolutely no admin rights, there is no reason to believe you can't create a secure Microsoft Network. ...
    (microsoft.public.windows.server.sbs)
  • Re: Firewall - Limit Geographic Area
    ... Firewall - Limit Geographic Area ... > times more secure than a Microsoft Windows machine can be). ... Redhat is conservative about what they release ... > - do not reuse passwords between your server and, say, random ...
    (RedHat)
  • Re: PC Hack Prob
    ... Windows Update ... Have I mentioned that Microsoft has some stuff to help secure your computer ... You should at least turn on the built in firewall. ... ANTIVIRUS SOFTWARE ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Wanting To Try FreeBSD: Security Question.
    ... How hard is it to secure FreeBSD for a desktop computer? ... The relatively minimal pf.conf file for the firewall I run on my laptop, ... A firewall is not the end of all your security needs. ...
    (comp.unix.bsd.freebsd.misc)