IIS traffic
From: Mason, Samuel (smason_at_state.mt.us)
Date: 11/19/03
- Previous message: Floyd Russell: "RE: Hiding MS SQL databases in Enterprise Manager"
- Next in thread: Avleen Vig: "Re: IIS traffic"
- Reply: Avleen Vig: "Re: IIS traffic"
- Reply: Ken Schaefer: "Re: IIS traffic"
- Maybe reply: Åke: "Re: IIS traffic"
- Maybe reply: Mason, Samuel: "RE: IIS traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-ms@securityfocus.com Date: Wed, 19 Nov 2003 13:55:39 -0700
While clearing out some information in our web filter I noticed some odd
traffic: internal web server addresses showing up under different dns names.
For instance in the Host Name field we see "sucks.freexxxxxvideo.com" and
yet the IP comes up in our address range. Opening the traffic I find a DSL
customer's IP from speakeasy.net. It looks like they are making what starts
out as a legitimate request from our IIS 5.0 webserver and then redirect to
whatever porn site they are after at the time.
Looking at the IIS logs on the affected server I see nothing more than this
to give me a clue:
2003-11-05 12:44:26 66.93.24.88 - X.X.X.X 80 GET /Default.asp - 200
sucks.freexxxxxvideo.com Mozilla/4.0 -
Is this a common occurrence with IIS? How do we stop this from happening?
Thanks for any help.
Samuel Mason
Information Technology Security Office
State of Montana
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Floyd Russell: "RE: Hiding MS SQL databases in Enterprise Manager"
- Next in thread: Avleen Vig: "Re: IIS traffic"
- Reply: Avleen Vig: "Re: IIS traffic"
- Reply: Ken Schaefer: "Re: IIS traffic"
- Maybe reply: Åke: "Re: IIS traffic"
- Maybe reply: Mason, Samuel: "RE: IIS traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
