Recently I've noticed a lot of failed requests in my apache logs from random IPs. The request looks like:

[error] [client xx.xxx.xx.x] Invalid URI in request GET x HTTP/1.0

These requests occur at the same time on all of my servers. Also, my firewall logs indicate attempts to connect to port 80 on some servers which have that port blocked.

Does anyone know if this is an indication of a particular scan? Perhaps for the latest IIS vulnerability? Has anyone else seen this activity recently, also?


compsci

They're probably just performing a census. Ie, when a request fails they get sent some information back (the fact you're running IIS, for example). I've seen requests made to "/non_existant_file" by bots which were performing censuses.

It is possible that they would follow up with an attack if your IIS reported that it was vulnerable, but I really wouldn't bother responding to something as minor as this.

I'm not actually running IIS, so it really isn't an issue. I just find it odd that this started so recently. Do bots really make a habit of scanning blocks of IPs?

I just did a DNS lookup on a few of them (probably should've done that earlier). Several are from people on DSL lines.

So while it isn't really an issue for me, I still have to wonder what they're looking for.

compsci

Well, it might well be an attacker... or more likely, a worm. In any case, I would just ignore it if I were you.

Hi:

Does anyone know how to configure Tiny Firewall to allow my IIS web service to start. It can't start because the firewall is denying it Internet access. If I disable the firewall it starts fine.

You help is greatly appreciated.
Thanks in advance

Do you have the IIS lockdown tool or urlscan installed ?

(They are both listed as "critical" updates for win2k)

NO. I don't where can I get these updates?

Do you have the IIS lockdown tool or urlscan installed You have to be running IIS for them to work (I think he is running Apache)

No, I am running w2k advanced server. IIS won't start with tiny firewall on. If a disable the firewall it starts.

How do I set this up to work?

Sorry, I was talking about compsci.

I would not recommend the use of Tiny with a web server. It's very complicated to set-up and takes a lot of fine tuning.

I am only using it because I got hit with that new IIS worm yesterday. Tiny seems like the only thing as far as software firewalls that will keep the traffic I don't want coming in out.

Any other suggestions?

Which worm are you talking about?

I would suggest URLScan from MS, it's a must have!

Originally posted by RackMy.com
Which worm are you talking about?

I would suggest URLScan from MS, it's a must have!

I agree on the URLScan. IIS Should not even be allowed on the net without it AND IISLockdown , plus HFNETCHK being run until it comes back clean.

Also,

QUOTE][i]
Recently I've noticed a lot of failed requests in my apache logs from random IPs. The request looks like:

[error] [client xx.xxx.xx.x] Invalid URI in request GET x HTTP/1.0
][/QUOTE]

Looks like BOT scans, and URLScan seems to block lots of those as well, because they sometimes request invalid file types. Some less than desirable bots are really IP Range Scanners, and not true spiders (which follow links).

The worm was "lsass.exe". It is sort of like code-red, but worse.So your saying I should not use Tiny Firewall, but Urlscan?

Took your advice and installed IISlockdown with UrlScan 2.5. One question though. While at MS technet, I was following the install instructions and told me to make some changes to the .ini file of urlscan.

[RequestLimits]
MaxAllowedContentLength=30,000,000
MaxUrl=16834
MaxQueryString=4096
Translate:
If:
Lock-Token:

Is this correct? the last 3 lines I got from DenyHeaders Section, it told me to add it.

Also can someone explain to me what the MaxAllowedContentLength is. 30,000,000 seems pretty high to me.

Thanks again for your help.

If you won't be receiving file uploads larger than 30,000,000 bytes, then you could make this smaller. It's a new feature of URLSCAN 2.5, so any thing is better than nothing, right?:D

Where can I get a PDF or Reading Material on the lockdown tool, and UrlScan. I've installed it on my server, and don't know what to do next about monitoring it, how to check logs, est.

Do I just keep adding commands to the .ini file? Please help.

Thanks

http://support.microsoft.com/default.aspx?scid=KB;EN-US;q307608&

MSDN online is your best source of info. There is also a free baseline security toolkit from Microsoft. http://www.iisfaq.com is the single most valuable resource for IIS on the net IMHO.

It condenses everything down for you and hass all pertinent links to the MS documentation.

Nikko

Does anyone know what the following means. I was running a test on my server using N-Stealth. According to the software this is the only Issue I have on my server, after installing IIS Lockdown Tool, with UrlScan on my webserver.


Common Directory Checking Test. Tip from the SANS/FBI Top 20 - Configure your web server to use CGI alerting scripts for Error Responses. WebAdmins need to keep tabs on all of these security related issues with their web servers. To assist with this monitoring, the web server should be configured to use custom CGI error response pages for server response codes 401, 403, 413 and 500. The error pages are PERL CGI scripts that are initiated every time the server issues either of these response codes. These scripts accomplish many important tasks including issuing an html warning banner to the client and immediately sending an e-mail notification to the WebAdmin. The e-mail message automates the process of manually collecting security related session information from the web server access and error logs for the request.

That seems a little overkill to me, as long as URLscan is running, and IISLockdown is installed, 401, 403, 413 and 500 errors are harmless. You'll get pounded with email for no reason. I take SANS/FBI recommendations with a grain of salt. You think you can manage an email account that gets a message from every website you host when these errors occur? I can't manage bounce backs as it is and I only run a few public sights right now

I usually don't reply to super old threads, but I have something to add to this old one. :)

When someone does a GET x, they are usually just interested in the headers sent by your server in response to an invalid URL. If a bot does this, it is usually used for determining what web server you are running, and not for any typical spidering.

I've used this method for determining the version of a web server quickly since I don't know when. Not sure where it started or where it's documented, but a lot of people do it.

telnet host 80
GET x HTTP/1.0

The reason you specify an invalid URL is because you don't want a real document to come back, otherwise the headers will scroll off your screen.

That tip from SANS/FBI does seem rather paranoid. I can see a webmaster doing this for their site, but doing it for a whole server? At the most, I would alert only on forbidden errors. This could help to prevent slow brute force attacks on HTTPD Basic and Digest Authentication protected resources.

Originally posted by bitserve
I usually don't reply to super old threads, but I have something to add to this old one. :)


Old but still relative... Security issues are a circular thread. They never end, but (most) always relative.