Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Problems with IIS

Re: Problems with IIS

From: Roshen Chandran <roshen.chandran_at_paladion.net>
Date: Wed, 14 Jul 2004 11:50:27 -0700

Marcelo, this is interesting... please help us understand your problem
better.

1. Are your logs showing the same 30 IPs hitting your site each second?
Or is the total number of IPs much higher?

2. Are different pages being requested? Or is it the same page being
hit again and again?

3. Are any of the pages that require login being accessed by the
attacker/bot/suspect, according to your access logs?

4. Are you seeing any outgoing connections from the web server?

Thanks!
-Roshen.

Roshen Chandran
Paladion Networks
http://www.paladion.net

-------We are recruiting. Please visit http://www.paladion.net/careers
for more details. -------

Marcelo Lećo Caffaro wrote:

>Hi, i'm a security analyst of a big website, this website work with average
>1000 access simultaneous, and my problem is:
>
>My server is a IIS5.0 running in Microsoft Windows 2000 Advanced Server....,
>with 2gb of ram
>
>The website work add new curriculum vitae (totally free), search for new
>jobs oportunities, free, or
>it the user pay the month plan, the user can see total description of job
>oportunities. (name of employer, address, etc).
>
>The more recent job oportunities are send to vip user .....
>
>
>I see in the last 2 days anormally of number visits of site, after check the
>log i see one dificult method of attack, this attack working
>with simultaneous connections, if i check the website database, can i see 30
>or 50 querys to website database (ms-sql) , but in log in one second i have
>more than
>30 ips, the log not contain know attack string, unicode, or another iis bug,
>the log have the url only....
>
>My dll host stay with 950 mb and i have dllhost error, after reboot, in one
>or 2 seconds after network restart, the process cpu is 100%, i think this
>attack is about many
>bot making numerous querys in database to decrease the web performance....
>
>My question is, how the best way to stop this type of attack?, if a make one
>session with IP, cookies and reverse dns can i stop this?
>
>Anyone can help-me?
>
>
>
>
>
>
>
Received on Jul 15 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]