Hi to all, I received the follow 1

[angktwap]

Hi to all,

I received the follow message from un unknown address... does it means that some one trying to hack my sys??

Local4.Notice 10.10.1.1
Jan 08 2003 21:31:34: %PIX-5-304001: 202.101.231.199 Accessed URL X.X.X.X:/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir

 

[gbiello]

This looks vaguely familiar. I suspect someone is trying to exploit vulnerabilities on an IIS server.

Assuming it is a Windows web-server, I would recommend you go to the server in question, do a windowsupdate and download all the security patches you can. Also have a thorough look at the server and see if there's anything suspicious.

-gbiello

 

[havanajoe]

Yep, that is definitely someone trying to hack into the system. On the PIX you should be able to setup the IDS system and drop/reset those connections. It also depends on the version of OS that is running on the PIX.

 

[angktwap]

How to setup to drop the connections?

 

[havanajoe]

Depending on the version of OS you have. I am running 6.22 and I can set it up using the IP AUDIT command. It is pretty cool some of the information that you can get by setting it up and using a syslog server.

 

[yizhar]

HI.

As far as I know, the pix built in IDS does not detect HTTP attacks such as the above one.

But it can still be a good idea to enable it:

ip audit name attack1 attack action alarm drop reset
ip audit name info1 info action alarm
ip audit interface outside info1
ip audit interface outside attack1

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[havanajoe]

The PIX does detect those types of IDS attacks. I just recently started playing around with my PIX at home and enabling the IDS auditing and it does show me the information. Now it isn't quite as extensive as ISS would be but for something low end just to get familiar with it works out pretty good.