[prev in list] [next in list] [prev in thread] [next in thread] 

List:       intrusions
Subject:    RE: Interesting Web Attack -  error not logged by IIS5
From:       "Portnoy, Gary" <gportnoy () belenosinc ! com>
Date:       2002-06-04 13:29:25
[Download RAW message or body]

Robert, 

I believe you are correct, and I know i've encountered this behavior before,
HTTP requests resulting in 400 Bad Request error code are not logged by IIS.
I knew that about IIS4, and I guess you just confirmed it about IIS5.

I remember a while back when Sadmind worm used to attempt an IIS defacement,
it would first try to "GET x" from the HTTP servers to grab header info.
Apache would log it, IIS would not. Same thing.

If you find a way to log it, let me know.

-Gary-

-----Original Message-----
From: Robert Wagner [mailto:rwagner@eruces.com]
Sent: Monday, June 03, 2002 4:54 PM
To: Intrusions @ Incidents (E-mail)
Subject: RE: Interesting Web Attack - error not logged by IIS5


I telneted into a couple of IIS 5.0 servers and entered control-E and
control-A followed by a couple of carriage returns.  I received a message:
----------------------------------
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Mon, 03 Jun 2002 20:32:58 GMT
Content-Type: text/html
Content-Length: 87

<html><head><title>Error</title></head><body>The parameter is incorrect.
</body>
</html>

Connection to host lost.
----------------------------------

While this message doesn't worry me, the fact that the server didn't log it
is.  I cannot find any log of my connection on the server.  Logging is
enabled everywhere.  

Am I missing something in the config?  Any ideas?

-----Original Message-----
From: Robert Wagner [mailto:rwagner@eruces.com]
Sent: Monday, June 03, 2002 12:04 PM
To: Intrusions @ Incidents (E-mail)
Subject: Interesting Web Attack


I have seen "invalidfilename.cgi" listed on Google alot, but cannot find
what system is vulnerable.  An ideas?
 - Interesting 501 errors.  What are they going after?

217.81.238.59 - - [01/Jun/2002:22:52:02 -0500] "GET / HTTP/1.0" 200 15 "-"
"-"
217.81.238.59 - - [01/Jun/2002:22:52:33 -0500] "^E^A" 501 - "-" "-"
217.81.238.59 - - [01/Jun/2002:22:53:04 -0500] "^E^A^B" 501 - "-" "-"
217.81.238.59 - - [01/Jun/2002:22:53:35 -0500] "^A" 501 - "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:06 -0500] "^Z" 501 - "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:08 -0500] "HEAD / HTTP/1.0" 200 0 "-"
"-"
217.81.238.59 - - [01/Jun/2002:22:54:09 -0500] "OPTIONS / HTTP/1.0" 200 -
"-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:10 -0500] "GET /invalidfilename.htm
HTTP/1.0" 404 290 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:12 -0500] "GET /invalidfilename.cgi
HTTP/1.0" 404 290 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:12 -0500] "GET /../invalidfilename.htm
HTTP/1.0" 400 355 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:13 -0500] "GET /invalidfilename.htm
HTTP/1.0" 404 290 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:14 -0500] "GET /invalidfilename.cgi
HTTP/1.0" 404 290 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:16 -0500] "GET /../invalidfilename.htm
HTTP/1.0" 400 355 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:17 -0500] "GET /cgi-bin/ HTTP/1.0" 403
283 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:18 -0500] "GET /iisadmpwd/ HTTP/1.0"
404 281 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:19 -0500] "GET /iisadmpwd/ HTTP/1.0"
404 281 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:20 -0500] "GET /_vti_bin/ HTTP/1.0" 404
280 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:21 -0500] "GET /_vti_bin/ HTTP/1.0" 404
280 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:22 -0500] "GET /msadc/ HTTP/1.0" 404
277 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:23 -0500] "GET /msadc/ HTTP/1.0" 404
277 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:24 -0500] "GET /scripts/ HTTP/1.0" 404
279 "-" "-"
217.81.238.59 - - [01/Jun/2002:22:54:25 -0500] "GET /scripts/ HTTP/1.0" 404
279 "-" "-"

[prev in list] [next in list] [prev in thread] [next in thread]