Re: IIS Log exactly 65.536 bytes ???

From: Mike Coppins (mike@legolas.com)
Date: 11/27/02

  • Next message: Eric Devine: "RE: Secure / Encrypt Terminal Services"
    Date: Wed, 27 Nov 2002 01:06:34 +0000
    To: focus-ms@securityfocus.com
    From: Mike Coppins <mike@legolas.com>
    
    

    To throw in a quick tidbit of information, when IIS starts a new logfile,
    the size is 64KB, even though the rest of the file is 'empty'. The reason
    for this is for performance purposes. The filesystem doesn't keep getting
    requests to increase the size of a file every time a http request occurs
    and the log file doesn't get half as fragmented as it might.

    The freezing situation you describe when viewing logfiles over TS is
    obviously bad, but as to what the cause is I can't say.

    As for new file creation/modify times being the same frequently, it depends
    on how busy the website in question is. The file modify date of the file
    changes when the first hit of the next day occurs. IIS cuts the slack from
    the old log file and starts a new one. Personally I'm finding it odd that
    your 'not suspicious' logfiles are created at exactly 1am and your
    'suspicious' files have different timestamps :)

    The timestamps on a website I run (legolas.com) which doesn't get much
    traffic, but enough to keep the weblogs ticking over, the modify dates are
    anything from 00:00 to 00:49, and the creation date of the previous
    logfile. The last entry of the previous logfile is anything up to 23:59.

    I'd advise some general checking for a potential compromise on your machine
    (the sort of checking that should be done on a regular, but not
    particularly often, basis). Things like checking AT job listings, key
    binary comparisons, user listings, netstat output checks, etc.

    Could some of this behaviour be the result of using URLscan? I don't know,
    never used it, as it seems like one of those 'closing the door after the
    horse has bolted' security safeguards :)

    -- 
    Mike Coppins
    mike@legolas.com
    http://www.legolas.com/