Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
6
Replies

3005 event logs

thomas.green
Level 1
Level 1

‎06-28-2002 07:01 AM - edited ‎03-08-2019 11:14 PM

Our 3005 Concentrator is working well but I am getting various errors in the event logs that I am unclear on. They are informational but I would like to understand what they mean. The messages are the following:

11350 06/27/2002 23:00:49.460 SEV=4 HTTP/50 RPT=2105 195.65.247.70

HTTP 404 Not Found (/scripts/..%5c%5c../winnt/system32/cmd.exe)

11351 06/27/2002 23:00:49.460 SEV=3 HTTP/10 RPT=2507 195.65.247.70

HTTP 401 Unauthorized: Authorization Not Present

11352 06/28/2002 06:31:11.610 SEV=4 HTTP/50 RPT=2106 12.246.119.46

HTTP 404 Not Found (/scripts/root.exe)

11353 06/28/2002 06:31:11.610 SEV=3 HTTP/10 RPT=2508 12.246.119.46

HTTP 401 Unauthorized: Authorization Not Present

11354 06/28/2002 06:31:11.610 SEV=4 HTTP/13 RPT=2043 12.246.119.46

HTTP 400 Bad Request: Form Error

11355 06/28/2002 06:31:11.820 SEV=4 HTTP/50 RPT=2107 12.246.119.46

HTTP 404 Not Found (/MSADC/root.exe)

11356 06/28/2002 06:31:11.820 SEV=3 HTTP/10 RPT=2509 12.246.119.46

HTTP 401 Unauthorized: Authorization Not Present

11357 06/28/2002 06:31:11.820 SEV=4 HTTP/13 RPT=2044 12.246.119.46

HTTP 400 Bad Request: Form Error

11358 06/28/2002 06:31:12.040 SEV=4 HTTP/50 RPT=2108 12.246.119.46

HTTP 404 Not Found (/c/winnt/system32/cmd.exe)

11359 06/28/2002 06:31:12.040 SEV=3 HTTP/10 RPT=2510 12.246.119.46

HTTP 401 Unauthorized: Authorization Not Present

11360 06/28/2002 06:31:12.040 SEV=4 HTTP/13 RPT=2045 12.246.119.46

HTTP 400 Bad Request: Form Error

11361 06/28/2002 06:31:12.230 SEV=4 HTTP/50 RPT=2109 12.246.119.46

HTTP 404 Not Found (/d/winnt/system32/cmd.exe)

11362 06/28/2002 06:31:12.230 SEV=3 HTTP/10 RPT=2511 12.246.119.46

HTTP 401 Unauthorized: Authorization Not Present

11363 06/28/2002 06:31:12.230 SEV=4 HTTP/13 RPT=2046 12.246.119.46

HTTP 400 Bad Request: Form Error

11364 06/28/2002 06:31:12.410 SEV=4 HTTP/50 RPT=2110 12.246.119.46

HTTP 404 Not Found (/scripts/..%5c../winnt/system32/cmd.exe)

11365 06/28/2002 06:31:12.410 SEV=3 HTTP/10 RPT=2512 12.246.119.46

HTTP 401 Unauthorized: Authorization Not Present

11366 06/28/2002 06:31:12.410 SEV=4 HTTP/13 RPT=2047 12.246.119.46

HTTP 400 Bad Request: Form Error

11367 06/28/2002 06:31:12.600 SEV=4 HTTP/50 RPT=2111 12.246.119.46

HTTP 404 Not Found (/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe)

11368 06/28/2002 06:31:12.600 SEV=3 HTTP/10 RPT=2513 12.246.119.46

HTTP 401 Unauthorized: Authorization Not Present

Thanks

Labels:
0 Helpful
6 Replies 6

paqiu
Level 1
Level 1

‎06-28-2002 05:57 PM

I believe you are using HTTP as the administrator protocol to manage the VPN 3005 concentrator.

So VPN 3005 concentrator will be always listening on TCP port 80 (HTTP) for all the packtes, this is reason why you see many HTTP "not found, Authorized" error there.

If want to reduce all these messages, please config the VPN 3005 using HTTPS and disable HTTP as the management protocol.

It will resolve your issues there.

0 Helpful

thomas.green
Level 1
Level 1
In response to paqiu

‎07-01-2002 06:20 AM

Thanks, I will do so.

0 Helpful

cjacinto
Cisco Employee
Cisco Employee

‎06-29-2002 06:57 PM

Looks like a host with affected with Nimda is sending these requests to the VPN3000. If the requests are coming from the inside, do a scan of your hosts with Virus scanner, if it is coming from the outside, then go through:

http://www.cisco.com/warp/public/63/nimda.shtml

and you would find ways to protect your net for it.

0 Helpful

thomas.green
Level 1
Level 1
In response to cjacinto

‎07-01-2002 06:24 AM

Would there be any way to set up this protection from Nimda at the concentrator itself or is the perimeter router the place to setup the protection? thanks for your help

0 Helpful

paqiu
Level 1
Level 1
In response to thomas.green

‎07-01-2002 03:09 PM

The VPN 3000 will not be infected by Nimda because itself is not Web server.

But it will be affected if you are using HTTP as the managment protocol.

Because the 3000 listening on HTTP, and huge amout HTTP packets will overload the 3000 CPU and make it hange or crash.

The simplest protection for the VPN 3000 is disable HTTP and use HTTPS as the management protocol as I said before.

From this way, does not matter "red code" or Nimda or anyting else will have nothing to do with your VPN 3000.

0 Helpful

thomas.green
Level 1
Level 1
In response to paqiu

‎07-02-2002 04:57 AM

Thanks, I disabled http and the logs are much cleaner now.

0 Helpful
Customers Also Viewed These Support Documents