Ask the Expert

Blocking attacks from HTTP to a Web server

I'd like to know how to block this type of attack from HTTP to my Web server:

2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/root.exe /c+dir 404 www -
2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /MSADC/root.exe /c+dir 404 www -
2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /c/winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /d/winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..?../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..?../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www -
2003-06-05 01:32:33 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 www -

Please help.

The best way to block attacks that attempt to use native tools or that attempt to issue command lines, call malicious code, attack a known vulnerability and so forth, is to prevent the attack from reaching the Web server. Place some kind of a scanner on the firewall that inspects the traffic headed for the Web server and block typical attack statements.

For example, you can now use URLScan, a free download from Microsoft, and add the capability to block or drop requests like shown above if you are using ISA Server. Products should be available that work with other firewalls. If the URLs above don't get to the Web server, we don't have to worry about the attack succeeding. Learn more about URLScan.

This was first published in June 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: