Wrox Home  
Search P2P Archive for: Go
Shopping CartView Cart  |  My Account  |  Support
Home Browse Titles

P2P Archives
 

Archive Index
Back to Active P2P Forum

 


Wrox Chapters on Demand - Download the chapters you need and take them on the go!
Wrox First - Instant Access online to new Wrox books

New Titles for ASP.NET

Cover image for product 0470379308
Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB
Cover image for product 047041569X
LINQ-ifying TheBeerHouse: An N-Tier LINQ Web Application with ASP.NET 2.0 Website Programming Problem Design Solution
View Code Camp Videos - Presentations by Wrox Authors
  Return to Index  

security_asp thread: RE: security

Message #1 by "George Draper" <gdraper@c...> on Thu, 15 Nov 2001 12:16:07 -0500
This is a MIME message. If you are reading this text, you may want to 
consider changing to a mail reader or gateway that understands how to 
properly handle MIME multipart messages.

--=_3E64FB66.630268A1
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

I agree.  It sounds like Nimda.  We are still getting some of those url 
requests on our servers.  You're right that the standard MS patches are 
adequate for this particular threat, but you should look into MS's URLScan 
tool.  It adds another whole level of security.  The only downside is that 
you can't use it if you rely on FrontPage extensions because it will block 
those requests as well.  Good luck.

- George

>>> jsperanza@g... 10/29/01 10:43AM >>>
My educated guess is the activity you see in your server logs is
from machines that have been infected with the Code Red and/or
Nimda viruses.  Nimda is particularly robust code in that it
attempts to replicate itself by exploiting several of the known
vulnerabilities in IIS.  If you have the latest patches from
Microsoft, however, you should be fine.

One way to confirm my suspicions would be to compare the exploit
attempts your log reflects against the type of attacks Code Red
and Nimda are known to utilize (you can get this info from most
anti-virus vendors, or go to www.sans.org for further details).

Hope this is helpful to you.


-----Original Message-----
From: Dan McKinnon [mailto:mddonna@u...]
Sent: Monday, October 29, 2001 5:33 AM
To: Security_asp
Subject: [security_asp] security


Hi --

My ASP Web site was hacked several months ago, and I took some
countermeasures and got it back up. I'm noticing in my log files that
people (or automated) are still trying to hack it by various methods, 
most
notably by writing GET parameters in the URL, trying to make copies of
cmd.exe, etc. Some of the attempts I see recorded I am not familiar 
with,
in fact most of them, but they seem to be alterations of URLs.

What can I do about this? I have the lastest service packs and security
patches installed, and I use a firewall that has pretty strict settings.=20

Should I take note of where the hack attempts originate from and take 
some
action? One of them I tracked down to a RIPE site, which doesn't make
sense. Are there any more precautions I should take?

Thank you.

---
http://www.asptoday.com - the leading site for timely,
in-depth information for ASP developers everywhere.
To unsubscribe send a blank email to leave-security_asp-562534P@p...
m

  Return to Index  
About Wrox  |  Contact Us  |  Subscribe to an RSS Feed of New Wrox Titles
Copyright © 2000-2004 by John Wiley & Sons, Inc. or related companies. All rights reserved. Please read our Privacy Policy