Re: IIS Logfile

• Previous message: Ronish Mehta: "Defense in Depth"
• In reply to: mfernandez_at_fdta-valles.org: "Re: IIS Logfile"
• Next in thread: messanger: "Re: IIS Logfile"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 27 Oct 2004 04:48:51 -0700
To: security-basics@securityfocus.com

mfernandez@fdta-valles.org wrote:

>Thanks to all of you for replying.
>
>This log file is getting weirder. Here are more strange entries:
>
>2004-10-26 01:04:22 202.38.216.127 - W3SVC1 FILESERVER xxx.xxx.xxx.xxx 80 GET
>/scripts/nsiislog.dll - 401 5 0 - - -
>2004-10-26 02:54:32 130.235.160.66 - W3SVC1 FILESERVER xxx.xxx.xxx.xxx 80 GET
>/M83A - 401 5 0 - - -
>2004-10-26 02:54:32 130.235.160.66 - W3SVC1 FILESERVER xxx.xxx.xxx.xxx 80
>PROPFIND / - 401 5 15 - TEST -
>2004-10-26 02:54:33 130.235.160.66 - W3SVC1 FILESERVER xxx.xxx.xxx.xxx 80 GET
>/scripts/nsiislog.dll - 401 5 0 xxx.xxx.xxx.xxx - -
>
>I am located in the ass of the world (South America) and I don't understand why
>some chinesse and sweden people should be interested on my net? (those IPs are
>from that places)
>
>Like you say, the 401 code means an authorization failure, but, what is they
>trying to do?
>
>Thanks in advance...
>
>
>
>
>
>----------------------------------------------------------------
>This message was sent using IMP, the Internet Messaging Program.
>
>
>
>
They probably don't care about what is your network specificially, as
compromised systems are often just used as a jumping point to reach
other machines, to conduct denial of service attacks, etc.

Based on the filename listed in the log you may want to read the
following security bulletin -
http://www.microsoft.com/technet/security/bulletin/MS03-022.mspx

Anthony Boynes

• Previous message: Ronish Mehta: "Defense in Depth"
• In reply to: mfernandez_at_fdta-valles.org: "Re: IIS Logfile"
• Next in thread: messanger: "Re: IIS Logfile"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]