Re: IIS traffic

From: Avleen Vig (lists-bugtraq_at_silverwraith.com)
Date: 11/21/03

  • Next message: Ken Schaefer: "Re: IIS traffic" 
    Date: Thu, 20 Nov 2003 21:26:13 -0800
To: "Mason, Samuel" <smason@state.mt.us>

    On Wed, Nov 19, 2003 at 01:55:39PM -0700, Mason, Samuel wrote:
    >
    > While clearing out some information in our web filter I noticed some odd
    > traffic: internal web server addresses showing up under different dns names.
    > For instance in the Host Name field we see "sucks.freexxxxxvideo.com" and
    > yet the IP comes up in our address range. Opening the traffic I find a DSL
    > customer's IP from speakeasy.net. It looks like they are making what starts
    > out as a legitimate request from our IIS 5.0 webserver and then redirect to
    > whatever porn site they are after at the time.
    >
    > Looking at the IIS logs on the affected server I see nothing more than this
    > to give me a clue:
    >
    > 2003-11-05 12:44:26 66.93.24.88 - X.X.X.X 80 GET /Default.asp - 200
    > sucks.freexxxxxvideo.com Mozilla/4.0 -

    The second URL is the Referrer. Looksl ike that website probably has a
    link to your website, and this user clicked on it.
    The Referrer is used to track which places people came from when they
    got to your site, usually by clicking a link on the previous site. I
    don't think it comes up if you just type a new URL in.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Ken Schaefer: "Re: IIS traffic"