Q

Blocking attacks from HTTP to a Web server

I'd like to know how to block this type of attack from HTTP to my Web server:

2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/root.exe /c+dir 404 www -
2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /MSADC/root.exe /c+dir 404 www -
2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /c/winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /d/winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..?../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..?../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:33 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 www -

Please help.

The best way to block attacks that attempt to use native tools or that attempt to issue command lines, call malicious code, attack a known vulnerability and so forth, is to prevent the attack from reaching the Web server. Place some kind of a scanner on the firewall that inspects the traffic headed for the Web server and block typical attack statements.

For example, you can now use URLScan, a free download from Microsoft, and add the capability to block or drop requests like shown above if you are using ISA Server. Products should be available that work with other firewalls. If the URLs above don't get to the Web server, we don't have to worry about the attack succeeding. Learn more about URLScan.

This was last published in June 2003

Dig Deeper on Network intrusion detection and prevention and malware removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close