Re: IIS traffic

• Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #164"
• In reply to: Mason, Samuel: "RE: IIS traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <focus-ms@securityfocus.com>
Date: Tue, 25 Nov 2003 12:43:02 +1100

----- Original Message -----
From: "Mason, Samuel" <smason@state.mt.us>
Sent: Saturday, November 22, 2003 3:44 AM
Subject: RE: IIS traffic

: For the information of people more IIS inclined that I, I was told that
the
: field corresponds to "cs-uri-stem".

I don't think that it is cs-uri-stem.

That is the name of the page being requested, and it looks like it's already
in the logfile (the bit that says "/default.asp"

I'm not sure what version of IIS you are using, however, this is a list of
properties that can be logged using IIS 5 (when using w3 Extended logging).
Note the order they are in (this is the order that they will be logged in
your logfiles):

Client IP Address (c-ip)
User Name (cs-username)
Service Name (s-sitename)
Server Name (s-computername)
Server IP Address (s-ip)
Server Port (s-port)
HTTP Method (cs-method)
URI Stem (cs-uri-stem)
URI Query (cs-uri-query)
Protocol Status (sc-status)
Win32 Status (sc-win32-status)
Bytes-Send (sc-bytes)
Bytes-Received (cs-bytes)
Time Taken (time-taken)
Protocol Version (cs-version)
Host (cs-host)
User Agent (cs(user-agent))
Cookie (cs(cookie))
Referer (cs(referer))

Now let's have another look at your logfile entry. The (?) indicate a guess
as to what you're logging.

2003-11-05 <- Date
12:44:26 <- Time
66.93.24.88 <- c-ip (client's IP address)
-
X.X.X.X <- s-ip (your IP address)
80 <- s-port (your server's port)
GET <- cs-method (HTTP method)
/Default.asp <- cs-uri-stem (page requested)
- <- cs-uri-query (??) (no querystring)
200 <- sc-status (server HTTP status)
su_ks.fr___video.com <- *your problem field here*
Mozilla/4.0 <- cs(user-agent)
- <- cs(referer)

So, whatever that field is, it's one of the fields between Protocol Status
(200 OK), and User Agent cs(user-agent). The only field I can see is
possibly cs-host (so the client has their DNS setup to point that DNS name
to your IP address). However your webserver would only answer this request
*if* your website is configured to listen on that IP address without the
requirement of a corresponding host-header.

Alterantively, the user may have done something nice to their user-agent
string and prepended the website name (though I don't think that's as
likely. To verify you'd need to examine the logfile to see what character's
between the website name and Mozilla)

HTH

Cheers
Ken

----- Original Message -----
From: "Mason, Samuel" <smason@state.mt.us>
To: "'Maxime Ducharme'" <maxime@pandore-design.com>
Cc: <focus-ms@securityfocus.com>
Sent: Saturday, November 22, 2003 3:44 AM
Subject: RE: IIS traffic

: For the information of people more IIS inclined that I, I was told that
the
: field corresponds to "cs-uri-stem".
:
: I also removed the original server details because I got slammed by about
a
: dozen spam filters for inappropriate content.
:
: Maxime,
:
: I may not be explaining the situation fully. I don't think these are cases
: of referring because of the evidence outside the IIS logs. This originally
: came to my attention from our web filtering software. And I doubt highly
: that Japanese porn sites have links to the State of Montana's websites
: because, well, the clientele is just not the same... :)
:
: These web site addresses are, in my filtering software, tied to IP
addresses
: of our IIS servers and yet they have porn site names like we saw below. In
: addition the requesting machine is also outside our network. To add to it
: they somehow tie from legitimate URLs to these porn sites.
:
: For instance, say we have a website that is
: www.state.mt.us/coolmontanastuff.htm . In my filtering software I see the
: following (I'll use real examples that are not likely to be filtered):
:
: SITES
: Host Name IP Address
: Date Hits
: www.hotrodbikes.com *State of MT IIS server IP
address*
: 11/6/2003 3
:
:
: Obviously we are not hosting hotrodbikes.com (or even less likely some of
: the other content I've seen requested).
:
: When I open the activity up I see the following information related to
this
: particular site:
:
: User Name Workstation IP Activity
: 66.93.24.88 66.93.24.88
: /coolmontanastuff.htm
:
: Obviously the above URL is fictitious but that is what I see, it
redirecting
: traffic to this "hotrodbike.com" website but the original request seems to
: point to not just our IP addresses but even to legitimate websites on our
: IIS servers.
:
: The IIS log I provided in my message were an example of what I see on the
: affected machines, verifying that IP address was hitting the server to
: include the site they were going to.
:
: I'm not an IIS expert and if all I were relying on were IIS logs I would
not
: have been likely to become suspicious but with the web filtering
information
: on top, it starts looking *highly* suspicious.
:
: The only possible reason I can see for them doing this is anonymity. Make
: "www.hotrodbikes.com", or wherever, think the traffic is coming from our
: servers and not the DSL customer that is actually doing it.
:
: Hope that may be a more detailed explanation and I apologies for not
giving
: that IIS log field info before, I was unaware of its importance.
:

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #164"
• In reply to: Mason, Samuel: "RE: IIS traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]