|
Home > Archive > IIS Server > June 2005 > IP Blocked List
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Whispering Leaf 2005-06-28, 5:54 pm |
| All of a sudden on several of our web servers, the IP block list is being
populated with values of frequent visitors. For instance, our customer
service web site blocked all of our CS reps, so no one could get in.
Has anyone heard of IIS 5.0 autoamtically blocking certain IPs?
We are stumped, unless its a prank or trojan of some sort.
Thanks!
| |
| Sparky Polastri 2005-06-28, 5:54 pm |
|
"Whispering Leaf" <WhisperingLeaf@discussions.microsoft.com> wrote in
message news:6BD0FACC-6673-42ED-92D8-2965A323502F@microsoft.com...
> All of a sudden on several of our web servers, the IP block list is being
> populated with values of frequent visitors. For instance, our customer
> service web site blocked all of our CS reps, so no one could get in.
>
> Has anyone heard of IIS 5.0 autoamtically blocking certain IPs?
>
> We are stumped, unless its a prank or trojan of some sort.
>
> Thanks!
Definately not normal behavior.
Look for 3rd party tools or a rogue admin. Never heard of a worm doing
that... but it's possible.
| |
| Kristofer Gafvert [MVP] 2005-06-28, 5:54 pm |
| I dont even think there is any code in IIS (excluding the administration
interface) that could actually do this.
So it sounds like someone has had access to either the administration
interface, or has been able to write custom code to do this. It could also
have been done by a custom-written ISAPI filter (for example something
that is reading requests checking for "hackers", and by some reason your
CS reps has been identified as "hackers" and been blocked access).
I dont think it is a trojan or virus. I can however not exclude that it
could be a hacking attempt, although it sounds strange that they would do
such thing as blocking some IPs (if they can do that, they probably can do
much more).
First thing i would do is check any third-party application that could be
doing this.
--
Regards,
Kristofer Gafvert (IIS MVP)
www.gafvert.info - My Articles and help
www.ilopia.com
Whispering Leaf wrote:
> All of a sudden on several of our web servers, the IP block list is being
> populated with values of frequent visitors. For instance, our customer
> service web site blocked all of our CS reps, so no one could get in.
>
> Has anyone heard of IIS 5.0 autoamtically blocking certain IPs?
>
> We are stumped, unless its a prank or trojan of some sort.
>
> Thanks!
| |
| Whispering Leaf 2005-06-28, 5:54 pm |
| Thanks guys ... this one is bizarre indeed.
I have heard of the MOM 2005 agent doing this which we do use, but I do not
see how.
Hmmm ....
"Kristofer Gafvert [MVP]" wrote:
> I dont even think there is any code in IIS (excluding the administration
> interface) that could actually do this.
>
> So it sounds like someone has had access to either the administration
> interface, or has been able to write custom code to do this. It could also
> have been done by a custom-written ISAPI filter (for example something
> that is reading requests checking for "hackers", and by some reason your
> CS reps has been identified as "hackers" and been blocked access).
>
> I dont think it is a trojan or virus. I can however not exclude that it
> could be a hacking attempt, although it sounds strange that they would do
> such thing as blocking some IPs (if they can do that, they probably can do
> much more).
>
> First thing i would do is check any third-party application that could be
> doing this.
>
> --
> Regards,
> Kristofer Gafvert (IIS MVP)
> www.gafvert.info - My Articles and help
> www.ilopia.com
>
>
> Whispering Leaf wrote:
>
>
|
|
|
|
|