RE: IIS traffic

• Previous message: Åke: "Re: IIS traffic"
• Maybe in reply to: Mason, Samuel: "IIS traffic"
• Next in thread: Ken Schaefer: "Re: IIS traffic"
• Reply: Ken Schaefer: "Re: IIS traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: 'Maxime Ducharme' <maxime@pandore-design.com>
Date: Fri, 21 Nov 2003 09:44:15 -0700

For the information of people more IIS inclined that I, I was told that the
field corresponds to "cs-uri-stem".

I also removed the original server details because I got slammed by about a
dozen spam filters for inappropriate content.

Maxime,

I may not be explaining the situation fully. I don't think these are cases
of referring because of the evidence outside the IIS logs. This originally
came to my attention from our web filtering software. And I doubt highly
that Japanese porn sites have links to the State of Montana's websites
because, well, the clientele is just not the same... :)

These web site addresses are, in my filtering software, tied to IP addresses
of our IIS servers and yet they have porn site names like we saw below. In
addition the requesting machine is also outside our network. To add to it
they somehow tie from legitimate URLs to these porn sites.

For instance, say we have a website that is
www.state.mt.us/coolmontanastuff.htm . In my filtering software I see the
following (I'll use real examples that are not likely to be filtered):

SITES
Host Name IP Address
Date Hits
www.hotrodbikes.com *State of MT IIS server IP address*
11/6/2003 3

Obviously we are not hosting hotrodbikes.com (or even less likely some of
the other content I've seen requested).

When I open the activity up I see the following information related to this
particular site:

User Name Workstation IP Activity
66.93.24.88 66.93.24.88
/coolmontanastuff.htm

Obviously the above URL is fictitious but that is what I see, it redirecting
traffic to this "hotrodbike.com" website but the original request seems to
point to not just our IP addresses but even to legitimate websites on our
IIS servers.

The IIS log I provided in my message were an example of what I see on the
affected machines, verifying that IP address was hitting the server to
include the site they were going to.

I'm not an IIS expert and if all I were relying on were IIS logs I would not
have been likely to become suspicious but with the web filtering information
on top, it starts looking *highly* suspicious.

The only possible reason I can see for them doing this is anonymity. Make
"www.hotrodbikes.com", or wherever, think the traffic is coming from our
servers and not the DSL customer that is actually doing it.

Hope that may be a more detailed explanation and I apologies for not giving
that IIS log field info before, I was unaware of its importance.

-----Original Message-----
From: Maxime Ducharme [mailto:maxime@pandore-design.com]
Sent: Friday, November 21, 2003 8:41 AM
To: Mason, Samuel
Subject: Re: IIS traffic

Hi Sam,
    the field containing the porn site is the "Referer" in HTTP
communications. This is not a redirection.

It means the person was on this site BEFORE getting on yours,
so this usually means either :
- there is a link from that site to your site
- the person was on that site before type your site in the browser
(depends on the browser)

I'd take a look on that site to see if any link is pointing on your site.

It is a common occurence with IIS to log referers.

Hope this helps

Ciao

---------------------------------------------------------------
  Maxime Ducharme
  Administrateur reseau, Programmeur
  Pandore-Design [http://www.pandore-design.com]

----- Original Message -----
From: "Mason, Samuel" <smason@state.mt.us>
To: <focus-ms@securityfocus.com>
Sent: Wednesday, November 19, 2003 3:55 PM
Subject: IIS traffic

>
> While clearing out some information in our web filter I noticed some odd
> traffic: internal web server addresses showing up under different dns
names.
> For instance in the Host Name field we see "" and
> yet the IP comes up in our address range. Opening the traffic I find a DSL
> customer's IP from speakeasy.net. It looks like they are making what
starts
> out as a legitimate request from our IIS 5.0 webserver and then redirect
to
> whatever porn site they are after at the time.
>
> Looking at the IIS logs on the affected server I see nothing more than
this
> to give me a clue:
>
> 2003-11-05 12:44:26 66.93.24.88 - X.X.X.X 80 GET /Default.asp - 200
>
>
> Is this a common occurrence with IIS? How do we stop this from happening?
>
> Thanks for any help.
>
> Samuel Mason
> Information Technology Security Office
> State of Montana
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
-
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Åke: "Re: IIS traffic"
• Maybe in reply to: Mason, Samuel: "IIS traffic"
• Next in thread: Ken Schaefer: "Re: IIS traffic"
• Reply: Ken Schaefer: "Re: IIS traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]