URL Scan

[paulwilson159]

Hello

We recently have started encountering a spammer who is exploiting PHP on our Plesk windows server.

Has anyone had a go with the URLscan addon that MS has provided?

We have managed to block a large number of the attacks using mod_security on Plesk Linux, but we are now looking for a Windows IIS equivilant....

 

[Skeeter]

Hello,
there`s a way to spot the spammer:

You should go to Plesk -> IIS Appliaction Pool and force all the domains to run in dedicated IIS pools.

After that you`ll just need o track a connection to the Mailserver with the netstat utility, get the PID of the php process and lookup the user in Task Manager who runs this process.

Each application pool will have a user with name IWAM_<domain-ftp-user-name>.

Though, I have no information on the URLscan extension.

 

[Webplus]

I'll try this ISAPI Filter this week:
http://www.aqtronix.com/?PageID=99

I have tested in a isolated server (lab enviroment), and loved the way it works.
I'll try on my real servers this week, and can post a review later.

If anyone test the filter too, please, post!

Thanks.