×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

3005 event logs

Unanswered Question

Our 3005 Concentrator is working well but I am getting various errors in the event logs that I am unclear on. They are informational but I would like to understand what they mean. The messages are the following:


11350 06/27/2002 23:00:49.460 SEV=4 HTTP/50 RPT=2105 195.65.247.70

HTTP 404 Not Found (/scripts/..%5c%5c../winnt/system32/cmd.exe)


11351 06/27/2002 23:00:49.460 SEV=3 HTTP/10 RPT=2507 195.65.247.70

HTTP 401 Unauthorized: Authorization Not Present


11352 06/28/2002 06:31:11.610 SEV=4 HTTP/50 RPT=2106 12.246.119.46

HTTP 404 Not Found (/scripts/root.exe)


11353 06/28/2002 06:31:11.610 SEV=3 HTTP/10 RPT=2508 12.246.119.46

HTTP 401 Unauthorized: Authorization Not Present


11354 06/28/2002 06:31:11.610 SEV=4 HTTP/13 RPT=2043 12.246.119.46

HTTP 400 Bad Request: Form Error


11355 06/28/2002 06:31:11.820 SEV=4 HTTP/50 RPT=2107 12.246.119.46

HTTP 404 Not Found (/MSADC/root.exe)


11356 06/28/2002 06:31:11.820 SEV=3 HTTP/10 RPT=2509 12.246.119.46

HTTP 401 Unauthorized: Authorization Not Present


11357 06/28/2002 06:31:11.820 SEV=4 HTTP/13 RPT=2044 12.246.119.46

HTTP 400 Bad Request: Form Error


11358 06/28/2002 06:31:12.040 SEV=4 HTTP/50 RPT=2108 12.246.119.46

HTTP 404 Not Found (/c/winnt/system32/cmd.exe)


11359 06/28/2002 06:31:12.040 SEV=3 HTTP/10 RPT=2510 12.246.119.46

HTTP 401 Unauthorized: Authorization Not Present


11360 06/28/2002 06:31:12.040 SEV=4 HTTP/13 RPT=2045 12.246.119.46

HTTP 400 Bad Request: Form Error


11361 06/28/2002 06:31:12.230 SEV=4 HTTP/50 RPT=2109 12.246.119.46

HTTP 404 Not Found (/d/winnt/system32/cmd.exe)


11362 06/28/2002 06:31:12.230 SEV=3 HTTP/10 RPT=2511 12.246.119.46

HTTP 401 Unauthorized: Authorization Not Present


11363 06/28/2002 06:31:12.230 SEV=4 HTTP/13 RPT=2046 12.246.119.46

HTTP 400 Bad Request: Form Error


11364 06/28/2002 06:31:12.410 SEV=4 HTTP/50 RPT=2110 12.246.119.46

HTTP 404 Not Found (/scripts/..%5c../winnt/system32/cmd.exe)


11365 06/28/2002 06:31:12.410 SEV=3 HTTP/10 RPT=2512 12.246.119.46

HTTP 401 Unauthorized: Authorization Not Present


11366 06/28/2002 06:31:12.410 SEV=4 HTTP/13 RPT=2047 12.246.119.46

HTTP 400 Bad Request: Form Error


11367 06/28/2002 06:31:12.600 SEV=4 HTTP/50 RPT=2111 12.246.119.46

HTTP 404 Not Found (/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe)


11368 06/28/2002 06:31:12.600 SEV=3 HTTP/10 RPT=2513 12.246.119.46

HTTP 401 Unauthorized: Authorization Not Present


Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paqiu Fri, 06/28/2002 - 17:57
User Badges:

I believe you are using HTTP as the administrator protocol to manage the VPN 3005 concentrator.


So VPN 3005 concentrator will be always listening on TCP port 80 (HTTP) for all the packtes, this is reason why you see many HTTP "not found, Authorized" error there.


If want to reduce all these messages, please config the VPN 3005 using HTTPS and disable HTTP as the management protocol.


It will resolve your issues there.





cjacinto Sat, 06/29/2002 - 18:57
User Badges:
  • Cisco Employee,

Looks like a host with affected with Nimda is sending these requests to the VPN3000. If the requests are coming from the inside, do a scan of your hosts with Virus scanner, if it is coming from the outside, then go through:

http://www.cisco.com/warp/public/63/nimda.shtml

and you would find ways to protect your net for it.

paqiu Mon, 07/01/2002 - 15:09
User Badges:

The VPN 3000 will not be infected by Nimda because itself is not Web server.

But it will be affected if you are using HTTP as the managment protocol.

Because the 3000 listening on HTTP, and huge amout HTTP packets will overload the 3000 CPU and make it hange or crash.


The simplest protection for the VPN 3000 is disable HTTP and use HTTPS as the management protocol as I said before.


From this way, does not matter "red code" or Nimda or anyting else will have nothing to do with your VPN 3000.





Actions

This Discussion