Attack

From: Ranjan (ranjan_babu_g_at_hotmail.com)
Date: 09/16/03


Date: Tue, 16 Sep 2003 07:07:39 -0700


I feel some attack going on in my server.

How can i know attack happen to my iis server other than
logs of IIS.Pls find the logs in w3svc1 .
     
we given natting to the iis server.Any way make the server
secure form outside world other than firewall .

Can i go for ipsec .Pls give your suggestion to secure my
server .Anybody Help me!

Regards
Ranjan

Pls find the logs in w3svc1
-----------------------------

Logs
---------

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2003-09-14 00:02:39
#Fields: date time c-ip cs-username s-ip s-port cs-method
cs-uri-stem cs-uri-query sc-status cs(User-Agent)
2003-09-14 00:02:39 68.90.72.52 - 10.91.2.15 80 GET / -
401 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
2003-09-14 00:02:41 68.90.72.52 - 10.91.2.15 80 SEARCH / -
401 -
2003-09-14 00:02:55 68.86.143.83 - 10.91.2.15 80 GET / -
401 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
2003-09-14 00:02:55 68.86.143.83 - 10.91.2.15 80 SEARCH / -
 401 -
2003-09-14 00:02:59 24.160.147.166 - 10.91.2.15 80 GET / -
401 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
2003-09-14 00:02:59 24.160.147.166 - 10.91.2.15 80
SEARCH / - 401 -
2003-09-14 00:03:03 4.4.104.163 - 10.91.2.15 80 GET / -
401 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
2003-09-14 00:03:04 4.4.104.163 - 10.91.2.15 80 SEARCH / -
401 -
2003-09-14 00:03:07 220.108.100.105 - 10.91.2.15 80 GET / -
 401 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
2003-09-14 00:03:07 220.108.100.105 - 10.91.2.15 80
SEARCH / - 401 -
2003-09-14 00:03:45 69.133.2.104 - 10.91.2.15 80 GET / -
401 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
2003-09-14 00:03:46 69.133.2.104 - 10.91.2.15 80 SEARCH / -
 401 -
2003-09-14 00:04:03 64.33.205.174 - 10.91.2.15 80 GET / -
401 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
2003-09-14 00:04:04 64.33.205.174 - 10.91.2.15 80
SEARCH / - 401 -
2003-09-14 00:05:19 65.64.93.69 - 10.91.2.15 80 GET / -
401 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
2003-09-14 00:05:24 216.139.181.70 - 10.91.2.15 80 GET / -
401 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
2003-09-14 00:05:27 216.139.181.70 - 10.91.2.15 80
SEARCH / - 401 -
2003-09-14 00:06:05 4.62.15.42 - 10.91.2.15 80 GET / - 401
Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
2003-09-14 00:06:06 4.62.15.42 - 10.91.2.15 80 SEARCH / -
401 -
2003-09-14 00:06:41 149.142.180.187 - 10.91.2.15 80 GET / -
 401 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
2003-09-14 00:06:41 149.142.180.187 - 10.91.2.15 80
SEARCH / - 401 -
2003-09-14 00:07:30 24.157.238.128 - 10.91.2.15 80 GET / -
401 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
2003-09-14 00:08:09 172.167.1.83 - 10.91.2.15 80 GET / -
401 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
2003-09-14 00:08:13 172.167.1.83 - 10.91.2.15 80 SEARCH / -
 401 -
2003-09-14 00:09:24 211.132.109.241 - 10.91.2.15 80 GET / -
 401 Mozilla/4.0+(compatible;+MSIE+5.



Relevant Pages

  • RE: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... > deleting the logs he cannot do it. ... > If this box of yours is a web server to the world, ... > use it as file server with NetBIOS shares 'n stuff. ...
    (Focus-Microsoft)
  • RE: Trace of 139 attack?
    ... Subject: Trace of 139 attack? ... I think passprop allows you to lock the admin account via the network not on ... on your IIS server & as got the command prompt. ... > deleting the logs he cannot do it. ...
    (Focus-Microsoft)
  • RE: Unicode Attack (FOLLOW UP)
    ... The attacking host at 210.201.100.253 is a Windows 2000 Chinese Server, ... Subject: Unicode Attack ... and began to analyze the logs more closely. ... Unicode strings, all happening in less than 10 seconds. ...
    (Incidents)
  • RE: Exchange Server
    ... I researched your logs and found the MSExchangeTransport events 4006, 969, ... Right click Default SMTP Virtual Server and select Properties. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: isa 2004 & external website access issue
    ... emailed the logs to you as requested. ... each web server has its own public IP ... > headers in ISA Server ... > 'Microsoft Firewall' service. ...
    (microsoft.public.windows.server.sbs)