Q

Blocking attacks from HTTP to a Web server

I'd like to know how to block this type of attack from HTTP to my Web server:

2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/root.exe /c+dir 404 www - 2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /MSADC/root.exe /c+dir 404 www - 2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /c/winnt/system32/cmd.exe /c+dir 404 www - 2003-06-05 01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /d/winnt/system32/cmd.exe /c+dir 404 www - 2003-06-05...

01:32:28 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www - 2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 www - 2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 www - 2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/cmd.exe /c+dir 404 www - 2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..?../winnt/system32/cmd.exe /c+dir 404 www - 2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..?../winnt/system32/cmd.exe /c+dir 404 www - 2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /winnt/system32/cmd.exe /c+dir 404 www - 2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /winnt/system32/cmd.exe /c+dir 404 www - 2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www - 2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www - 2003-06-05 01:32:32 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 404 www - 2003-06-05 01:32:33 220.255.119.47 - W3SVC1 MAGIC 192.168.0.2 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 404 www -

Please help.

The best way to block attacks that attempt to use native tools or that attempt to issue command lines, call malicious code, attack a known vulnerability and so forth, is to prevent the attack from reaching the Web server. Place some kind of a scanner on the firewall that inspects the traffic headed for the Web server and block typical attack statements.

For example, you can now use URLScan, a free download from Microsoft, and add the capability to block or drop requests like shown above if you are using ISA Server. Products should be available that work with other firewalls. If the URLs above don't get to the Web server, we don't have to worry about the attack succeeding. Learn more about URLScan.

This was first published in June 2003

Dig deeper on Network intrusion detection and prevention and malware removal

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close