Re: Unrecognized IP Addresses before the site could go live!!!

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 05/02/04

• Next message: Roger Abell [MVP]: "Re: Publish Access & Rights"
• Previous message: Roger Abell [MVP]: "Re: micro soft need to kill all enfacted web sites...please.not my job..! yours."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 2 May 2004 09:19:45 -0700

You have not given us much to work with here.
You see "strange IP addresses" in the w3svc logfiles.
I have to assume that you are intending to allow access to the
webserver, so why is it strange to see outside ("strange"?) IPs
hitting on the server ??

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"John" <anonymous@discussions.microsoft.com> wrote in message 
news:697001c42ebf$48038d00$a601280a@phx.gbl...
> Hi,
>
> This is a new webserver (Windows 2000 with IIS 5.0). This
> server is inside the DMZ zone, and it has still not gone
> live. We have two firewalls 1. The corporate and 2.The DMZ
> firewall.
>
> But, we see strange IP Addresses being recorded on the
> webserver log files. When we do a traceroute to this it
> TIMES OUT at certain points.
>
> Some, IP Address do reach the destination.
>
> Is this some kind of Security Breach we are seeing that
> some program has been installed or a Trojon Horse that is
> trying to send information to the outside world!.
>
> I am not sure whether I have Installed the URL SCAN on
> this server, but I can get that installed ASAP. We have
> Security Settings implemented on this also. Even though it
> may not be Hisecweb.inf but we have a default template for
> securing our servers. Unless and until, I need to use only
> this to ensure that the webserver is secure, then I will
> have to inform the management about this.
>
> Please, do let me know ! Other Security Experts!
>
> and thanks in Advance. 

---

• Next message: Roger Abell [MVP]: "Re: Publish Access & Rights"
• Previous message: Roger Abell [MVP]: "Re: micro soft need to kill all enfacted web sites...please.not my job..! yours."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Trying to get my server working ... it is a 'webserver' question. ... A decent hosting service either has people dedicated to security or simply ... they simply pick up the sites, reinstall the server. ... This is primarily a web server but I am limited on funds and want to ... (microsoft.public.windows.server.sbs) IIS and Anonymous Logins ... The webserver has COM+ application proxies installed on it. ... There's no security setup in COM+ on the application server and the server ... itself accepts anonymous logins. ... (microsoft.public.win2000.security) AD User Objects not retaining security ... I've run across a strange issue in a Windows 2000 Native AD environment. ... There are two Domain Controllers, one is Windows 2000, the other is Server ... new security was added to the security tab of an AD user object, ... (microsoft.public.windows.server.active_directory) General setup ... Recommend you consider security as a sliding scale, ... >My company currently has a Win2k Network Setup. ... >Server, Exchange Server, Internal Web Server, and a few ... >mind that the webserver will be accessing the SQL Server. ... (microsoft.public.isa) Event ID 535 with computer name as user name ... I am getting this event every few minutes in the security ... What's strange is that ... it uses the Server Name with a $ symbol for the User ... I cant determine if this is the computer account ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)