Re: Clearing IIS logs

From: Tiago Halm (thalm@netcabo.pt)
Date: 10/04/01

Previous message: Frank Knobbe: "RE: DENY x REJECT"
In reply to: Travis Kiger: "RE: Clearing IIS logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <000c01c14d01$7fed9ff0$460042ac@WebDev.BancoBPI.pt>
From: "Tiago Halm" <thalm@netcabo.pt>
To: "Travis Kiger" <Travis.Kiger@dig.com>, "'Shoten'" <shoten@starpower.net>, "Jason binger" <cisspstudy@yahoo.com>, <pen-test@securityfocus.com>
Subject: Re: Clearing IIS logs
Date: Thu, 4 Oct 2001 19:21:47 +0100

This might seem rather silly, but I was thinking
of opening the log file in sharable read/write mode
using a kind of NT service which would start before
IIS.

That way you could do whatever you want to the file
while the NT Service and IIS had it open.

But this poses 2 questions

1. Does IIS open the file in lock read/write mode ?
If this is the case, then this won't work.

2. What to do when IIS changes log file (at 00:00) ?
Well, you could make the NT service create a file
just before 00:00 so that IIS would use it also.

I'm writing this now, but haven't tested it yet, so probably
it wont work.

Just my 2 something!

Tiago Halm

----- Original Message -----
From: "Travis Kiger" <Travis.Kiger@dig.com>
To: "'Shoten'" <shoten@starpower.net>; "Jason binger"
<cisspstudy@yahoo.com>; <pen-test@securityfocus.com>
Sent: Tuesday, October 02, 2001 8:10 PM
Subject: RE: Clearing IIS logs

> Hmm, I tried it with an IIS4 machine using the IIS log format. After
> deleting the current log and renaming an old log, new requests were
appended
> to the old log, although this format does include the date in each entry.
>
> XXX.XXX.XXX.XXX, -, 6/13/01, 16:10:53, W3SVC1, SERVER, YYY.YYY.YYY.YYY, 0,
> 258, 623, 404, 2, GET, /images/homepage/icon.gif, -,
> XXX.XXX.XXX.XXX, -, 6/13/01, 16:10:53, W3SVC1, SERVER, YYY.YYY.YYY.YYY, 0,
> 260, 623, 404, 2, GET, /images/homepage/icon.gif, -,
> XXX.XXX.XXX.XXX, -, 6/13/01, 16:10:53, W3SVC1, SERVER, YYY.YYY.YYY.YYY, 0,
> 256, 623, 404, 2, GET, /images/homepage/base.gif, -,
> XXX.XXX.XXX.XXX, -, 6/13/01, 16:10:53, W3SVC1, SERVER, YYY.YYY.YYY.YYY,
125,
> 256, 390, 200, 0, GET, /images/html_corner.gif, -,
> XXX.XXX.XXX.XXX, -, 10/2/01, 12:06:23, W3SVC1, SERVER, YYY.YYY.YYY.YYY,
15,
> 564, 206, 304, 0, GET, /index.html, -,
> XXX.XXX.XXX.XXX, -, 10/2/01, 12:06:23, W3SVC1, SERVER, YYY.YYY.YYY.YYY, 0,
> 627, 141, 304, 0, GET, /global.js, -,
> XXX.XXX.XXX.XXX, -, 10/2/01, 12:06:23, W3SVC1, SERVER, YYY.YYY.YYY.YYY, 0,
> 622, 141, 304, 0, GET, /home.css, -,
>
>
>
> -----Original Message-----
> From: Shoten [mailto:shoten@starpower.net]
> Sent: Tuesday, October 02, 2001 11:41 AM
> To: Travis Kiger; Jason binger; pen-test@securityfocus.com
> Subject: Re: Clearing IIS logs
>
>
> The problem with this method is that IIS will not continue the existing
log
> file, but rather create a new one.
>
>
> > IIS keeps the log file open, so I don't know of a way to do it without
> > stopping IIS. The easiest way to acccomplish this is to create an AT job
> > that stops IIS, deletes the logs and then restarts IIS. The account that
> the
> > AT service runs as probably has permissions to do this. To cause even
more
> > confusion for the admin, copy an old log and give it the same name as
> > todays' log. Some log types don't show the date in the individual
entries,
> > but the admin may not notice either way.
>
>
> --------------------------------------------------------------------------

-- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ >

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/

Previous message: Frank Knobbe: "RE: DENY x REJECT"
In reply to: Travis Kiger: "RE: Clearing IIS logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: IIS : access to cmd.exe and multiple commands on one line
... Subject: IIS: access to cmd.exe and multiple commands on one line ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
(Pen-Test)
RE: Clearing IIS logs
... IIS keeps the log file open, so I don't know of a way to do it without ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ...
(Pen-Test)
Re: IIS : access to cmd.exe and multiple commands on one line
... Subject: IIS: access to cmd.exe and multiple commands on one line ... that '&' is a reserved character, and that %-encoding them should modify the ... This list is provided by the SecurityFocus Security Intelligence Alert ...
(Pen-Test)
RE: Clearing IIS logs
... Subject: Clearing IIS logs ... I tried it with an IIS4 machine using the IIS log format. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
(Pen-Test)
Re: update on IIS 5.0 relative path vulnerability
... update on IIS 5.0 relative path vulnerability ... and you can obtain SYSTEM privilege. ... This list is provided by the SecurityFocus Security Intelligence Alert ...
(Pen-Test)