RE: IIS Logfile

From: Eric McCarty (eric_at_piteduncan.com)
Date: 10/27/04

  • Next message: Kenneth R Swain II: "Re: Defense in Depth"
    Date: Wed, 27 Oct 2004 08:15:11 -0700
    To: <mfernandez@fdta-valles.org>, <security-basics@securityfocus.com>
    
    

    NSIISLog.dll has a POST Overflow, that's my guess what they are trying
    to do at this point in time. I would send abuse reports to their ISP's,
    make sure you servers are patched and chalk it up to the lay of the
    land.

    Eric

    -----Original Message-----
    From: mfernandez@fdta-valles.org [mailto:mfernandez@fdta-valles.org]
    Sent: Tuesday, October 26, 2004 1:07 PM
    To: security-basics@securityfocus.com
    Subject: Re: IIS Logfile

    Thanks to all of you for replying.

    This log file is getting weirder. Here are more strange entries:

    2004-10-26 01:04:22 202.38.216.127 - W3SVC1 FILESERVER xxx.xxx.xxx.xxx
    80 GET /scripts/nsiislog.dll - 401 5 0 - - -
    2004-10-26 02:54:32 130.235.160.66 - W3SVC1 FILESERVER xxx.xxx.xxx.xxx
    80 GET /M83A - 401 5 0 - - -
    2004-10-26 02:54:32 130.235.160.66 - W3SVC1 FILESERVER xxx.xxx.xxx.xxx
    80 PROPFIND / - 401 5 15 - TEST -
    2004-10-26 02:54:33 130.235.160.66 - W3SVC1 FILESERVER xxx.xxx.xxx.xxx
    80 GET /scripts/nsiislog.dll - 401 5 0 xxx.xxx.xxx.xxx - -

    I am located in the ass of the world (South America) and I don't
    understand why some chinesse and sweden people should be interested on
    my net? (those IPs are from that places)

    Like you say, the 401 code means an authorization failure, but, what is
    they trying to do?

    Thanks in advance...

    ----------------------------------------------------------------
    This message was sent using IMP, the Internet Messaging Program.


  • Next message: Kenneth R Swain II: "Re: Defense in Depth"