Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

IIS6 Request filtering and Banning

Posted on 2004-10-02
4
Medium Priority
?
1,460 Views
Last Modified: 2008-02-01
Does anyone know of a way to check the incoming requests, check for a certain file, and if said file is requested, ban the IP of the requster?

I get code-red and nimda propogation attemps constantly, and I realize some of em are probably hackers, with IP spoofers, but I don't really care. I believe a majority of them are due to web servers elsewhere trying to compromise my webserver.

/scripts/..%5c../winnt/system32/cmd.exe
/d/winnt/system32/cmd.exe
/c/winnt/system32/cmd.exe
/scripts/..Áœ../winnt/system32/cmd.exe
/scripts/..À¯../winnt/system32/cmd.exe
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/scripts/root.exe
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
/scripts/winnt/system32/cmd.exe
/scripts/..%2f../winnt/system32/cmd.exe
/MSADC/root.exe

They're all listed as 404s, but I wanna keep them from even trying to access them. I don't know if IIS can do it, or I'd need some secondary program.. But the ideal solution would be something like this...


xxx.xxx.xxx.xxx tries to access /scripts/winnt/system32/cmd.exe
xxx.xxx.xxx.xxx gets added to a banlist

xxx.xxx.xxx.xxx tries to view the website
the IP is checked against a list
the IP is found in the list
/banned.html is the only thing that will be shown to the client


Anyone know of a way to do that?
0
Comment
Question by:LordSkitch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 15

Expert Comment

by:Timbo87
ID: 12209336
BlockNimda.vbs does what you want. When it is run, it scans your server logs for any Nimda attempts and adds them to the banned IP list in IIS Manager, so when they visit they get 403 Forbidden errors on all pages. I've been using it since June and it's been working well. I created a scheduled task to run it everyday.

http://www.microsoft.com/technet/community/scriptcenter/logs/logparser/scripts/logpar04.mspx

As the site says, make sure you install the Log Parser first.
http://www.microsoft.com/downloads/details.aspx?familyid=8cde4028-e247-45be-bab9-ac851fc166a4&displaylang=en
0
 
LVL 1

Author Comment

by:LordSkitch
ID: 12209865
I must be an idiot or something, how the crap do you use all this?
0
 
LVL 15

Accepted Solution

by:
Timbo87 earned 1600 total points
ID: 12212885
1. Download and install Log Parser
http://www.microsoft.com/downloads/details.aspx?familyid=8cde4028-e247-45be-bab9-ac851fc166a4&displaylang=en

2. Open up Notepad, copy and paste this script in and save it as BlockNimda.vbs (make sure you save it as All Files so it doesn't append a .txt extension to it).

' SCRIPT STARTS HERE -------------------------------------------------------------------------

' This script parses the W3C log files for the default web site, finds the ip addresses
'  of all the clients sending NIMDA requests and adds these ip addresses to the list
'  of denied IP addresses for the web site.

DIM nSiteID     : nSiteID = 1

DIM IPs         : IPs = ARRAY(0)

DIM objLogQuery : SET objLogQuery = WScript.CreateObject("MSUtil.LogQuery")

DIM recordSet

DIM SelectStr


 
' Get the distinct IP addresses sending NIMDA requests and store them in an array

SelectStr = "SELECT DISTINCT c-ip FROM <" & nSiteID & "> WHERE "

SelectStr = SelectStr & "cs-uri-stem LIKE '%cmd.exe%' OR cs-uri-stem LIKE '%root.exe%'"

SET recordSet=objLogQuery.Execute(SelectStr)

DO WHILE NOT recordset.atEnd

      IF recordSet.GetRecord().isNull(0) = FALSE THEN

            REDIM PRESERVE IPs(UBOUND(IPs)+1)

            IPs(UBOUND(IPs)-1) = recordSet.GetRecord().getValue(0)

      END IF

      recordset.MoveNext

LOOP

recordSet.close




IF UBOUND(IPs) > 0 THEN

      'WScript.Echo("Blocking the following IP addresses:")

      FOR t=0 TO UBOUND(IPs)-1

            'WScript.Echo "IP: " & IPs(t)

      NEXT


      'Get the already blocked IP addresses

      DIM BlockedIPs : BlockedIPs = GetBlockedIPs

 

      'Block the non-blocked IP addresses

      FOR t=0 TO UBOUND(IPs)-1

        IF IsIn(IPs(t), BlockedIPs) = FALSE THEN

            REDIM PRESERVE BlockedIPs(UBOUND(BlockedIPs)+1)

            BlockedIPs(UBOUND(BlockedIPs))=IPs(t) & ", 255.255.255.255"
         
        END IF

      NEXT

      IF UBOUND(BlockedIPs) > 0 THEN

          BlockIPs(BlockedIPs)

      END IF

ELSE

      'WScript.Echo("No IP addresses to block")

END IF

WScript.Quit

 

' This function returns an array of all the IP addresses currently denied

FUNCTION GetBlockedIPs()

      DIM rootObj : SET rootObj = GetObject("IIS://localhost/W3SVC/" & nSiteID & "/Root")

      DIM ipSecObj : SET ipSecObj = rootObj.IPSecurity

      GetBlockedIPs = ipSecObj.IPDeny

END FUNCTION

 

' This function adds each IP address in the argument array to the list of IP addresses to deny access from

FUNCTION BlockIPs(IPAddresses)

      DIM rootObj : SET rootObj =  GetObject("IIS://localhost/W3SVC/1/Root")

      DIM ipSecObj : SET ipSecObj = rootObj.IPSecurity

      ipSecObj.GrantByDefault = TRUE

      ipSecObj.IPDeny = IPAddresses

      rootObj.IPSecurity = ipSecObj

      rootObj.SetInfo

END FUNCTION

 


' This function returns TRUE if the specified element is in the specified array

FUNCTION IsIn(element, arrayObj)

      if UBOUND(arrayObj) = -1 THEN

            IsIn = FALSE

      END IF

      FOR i=0 TO UBOUND(arrayObj)

            DIM IPs

            IPs = Split(arrayObj(i),",")

            IF IPs(0)=element THEN

                  IsIn = TRUE

                  EXIT FUNCTION

            END IF

      NEXT

      IsIn = FALSE

END FUNCTION

' SCRIPT ENDS HERE -------------------------------------------------------------------------

3. Double-click BlockNimda.vbs
0
 
LVL 1

Author Comment

by:LordSkitch
ID: 12213340
Man.. I must be a moron... I guess while trying to re-format the code to compile correctly, I deleted or added something where it shouldn't have been because I kept getting SQL errors..

I'll give you some extra points for dumbing it down for me lol
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question