|
-
June 17th, 2002, 11:28 AM
#21
-
June 17th, 2002, 12:32 PM
#22
Originally posted here by Sh4d0wX
Oh yeh i forgot to ask......,how do you view those type of log files on a WinXp and Win98 systems?
-Sh4d0wX
In XP (IIS6) it should be similar to IIS5. Try this:
1...Open the MMC and select the site you wish to log.
2...Right click | properties
3...In the 'web site' tab click enable logging
4...Select where you want to log to (ODBC database or textfile)
5...Set the ODBC properties (if neccecary) by clicking the properties option
6...Click Ok | ok
Under Win98 peer (or should that read poor  ) web server I have no idea - but I can't see that it would be all that different - look for logfile settings in the properties of the site with whatever web admin tool ships with Win98.
\"I may not agree with what you say, but I will defend to the death your right to say it.\"
Sir Winston Churchill.
-
June 17th, 2002, 01:54 PM
#23
Member
ISP's actually regulating
Phorax,
of all the ISP's that i regularly send examples and IP's to,  , the german ISP's tend to actually do something.
e.g:
- English Version -
Dear Sir or Madam
We received and analysed your e-mail.
The causer is a customer of T-Online.
Therefore we sent your complaint to
T-Online International AG
mailto:abuse@t-online.de
Tel.: 06151/680-0
abuse-Team
Kind regards
Deutsche Telekom AG
security team Ulm
I have almost given up sending abuse emails to S.E.Asian ISp's. Although actually Ringing up an Internet Cafe in India and telling them to get their User offline did the trick once. Expensive, but very satisfying 
-
June 17th, 2002, 03:54 PM
#24
Member
Although from my experience, trying to do that to a university student(in a lab per se)... is a waste of time. A lot of times students do the administration. I know when I'm doing it.. I'm more concerned about the girl in the skirt then what some kid is trying to do. You'll have plenty more success with ISP's i'm sure
-
June 17th, 2002, 07:18 PM
#25
Member
I don't know, we take security pretty serious on this campus. We require each student to login and if we were to get such a complaint, we would know exactly who did it and where we can find them. Lab assistants have no power, all they have to do is make sure students log out and occasionally reboot the computers. We also record all activity in the labs so that if someone were to forget to logout and another were to use that computer, we can find out. Well that and it keeps kids from opening computers and taking the RAM home with them.
The more I deal with people, the more I LOVE my computer.
-
June 17th, 2002, 08:26 PM
#26
Senior Member
/scripts/..%5c../winnt/system32/cmd.exe 164 549892
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/c ... 44 0
/scripts/..Á�../winnt/system32/cmd.exe 42 140826
/scripts/winnt/system32/cmd.exe 42 140826
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/c ... 41 137473
/scripts/..%2f../winnt/system32/cmd.exe 41 137473
/msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../ ... 41 137473
/scripts/winnt/system32/cmd.exe 42 140826
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/c ... 41 137473
/scripts/..%2f../winnt/system32/cmd.exe 41 137473
/msadc/..%5c../..%5c../..%5c/..Á�../..Á�../..Á�../ ... 41 137473
/msadc/..%5c../..%5c../..%5c../winnt/system32/cmd. ... 8 26824
/Rpc/..%5c..%5c..%5cwinnt/system32/cmd.exe 8 26824
/PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe 8 26824
/msadc/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 8 26900
/MSADC/..%5c..%5c..%5c..%5cwinnt/system32/cmd.exe 6 20118
/scripts/..%5c%5c../winnt/system32/cmd.exe 4 13412
/adsamples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/sys ... 4 13450
/samples/..%5c..%5c..%5c..%5c..%5c..%5cwinnt/syste ... 4 13450
/scripts/..%2f..%2f..%2f..%2fwinnt/system32/cmd.ex ... 4 13450
/iisadmpwd/..%2f..%2f..%2f..%2f..%2f..%2fwinnt/sys ... 4 13450
/scripts/..Á�..Á�..Á�..Á�winnt/system32/cmd.exe 4 13450
/images/..%5c..%5cwinnt/system32/cmd.exe 3 10059
That's only the number of hits that came up more than once. I have probably 2 or 3 hundred other URL's like it. BTW: the first number after the url is the # of hits, the 2nd number is number of bytes sent.
What a waste of space.
If only I had the time to send out 600 emails to ISP admins. 
-
June 17th, 2002, 08:29 PM
#27
Senior Member
as a simple follow-up, i noticed the following entry. Unfortunately these are my webstats as provided by my ISP, so I don't know who did what, but I did find this stat relating to above posts about xxx.de ISP's.
80.132.120.101 - p50847865.dip.t-dialin.net 307 915369
Somebody had a nifty little tool that tried every possible little attack to try to get my cmd.exe
-
June 18th, 2002, 02:08 PM
#28
Junior Member
sorry, havent been on for a while...
just to get this clear:
the deutsche telekom ag provides our telephone lines and t-online which by the way is a telekom subsidiary provides the internet connection and services itself.
now that you mailed to the telekom ag, E-1, they just forward it to the t-online abuse centre who then wont do anything (did you receive an answer?! ).
"security team Ulm" sounds gooood, but does not do anything...
-
June 18th, 2002, 02:21 PM
#29
Member
Phorax,
True, i havent heard from them.
I havent seen any IP's from that block attacking me either.
-
June 18th, 2002, 02:49 PM
#30
Junior Member
thats pretty good--
what sys are you using?
do you have any active firewall in which you could disable a block of ips or so? comes handy to just block the whole t-dialin block or like i do it: dynamically put the ips from where scans/ attack origin in the hosts.deny -file... you cant do better, no more attacs from that ip for ever )
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
