[Dshield] win32 exploit?

Mel Chandler PMI MChandler at pmi.delta.org
Mon Aug 6 16:27:20 GMT 2001


Yes, you can do it from IIS, just for http and ftp traffic.  The best way to
block it is to have your firewall do it.  That way all traffic is block and
not just http and ftp.  Plus it gives you a single point of administration
for security.

Mel L. Chandler, A+, Network+, MCNE, MCDBA, MCSE+I, CCNA
MChandler at PMI.Delta.org
Network Analyst
Information Services
PMI Delta Dental
(562) 467-6627

===================================
= not many animals were harmed in =
=    the making of this email     =
===================================


-----Original Message-----
From: castu [mailto:castu at jfkadatc.net]
Sent: Friday, August 03, 2001 7:52 PM
To: dshield at dshield.org
Subject: Re: [Dshield] win32 exploit?


I was hit by a ton of these one day from some
@home idiots. The box was patched, they still kept
it up. Funny, my cmd.exe on that machine has been
renamed to something else a LONG time ago.

My poor IIS logs are going to need their own drive
the way they are filling up tonight. :P

Say..in IIS4...is there a way to block a complete
IP range? I'd like to block Tiawan, those are the
sources of most of tonight's hits.


> Looks like someone is trying to execute cmd.exe
> to do god knows what.  Is
> this a Windows 2000 server that has had that
> vulnerability patched already?
> It looks like they're trying to exploit it
> unsuccessfully.

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20010806/a75c2756/attachment.htm


More information about the list mailing list