Re: IIS log entries
From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 11/26/02
- Next message: David Chadwick: "IIS 6.0 / ASP not enabled"
- Previous message: Tony Covey: "Re: IIS log entries"
- In reply to: Sam Critchley: "IIS log entries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@excite.com> Date: Tue, 26 Nov 2002 17:12:20 -0500
"Sam Critchley" <Sam.Critchley@dial.pipex.nospam.com> wrote in message
news:3de3d9d5$0$806$4d4ebb8e@news.nl.uu.net...
>
> Hi,
>
> Probably an obvious and basic question, but I've got IIS running on W2K
> server, SP3. I've got the log entries below showing up (see below) -
> seems like my machine is being probed (it's coming from various IP
> addresses over the last few days since I brought up IIS and opened port
> 80 inbound on my router).
>
> I have a couple of questions:
>
> 1. Do these logs show anything serious happening or is it just someone
> checking out the server for vulnerabilities?
I agree with the other post... looks like just worms and/or script kiddies.
However, if your web server isn't completely secured and ready for prime
time [and I suspect it isn't], close that port now. Also, just because
these logs show you weren't hacked doesn't mean you weren't previously
hacked elsewhere.
> 2. If it is something serious, how do I fix it without stopping the
service?
If it's something serious, your machine has already been hacked. When this
happens, you may want to seriously consider formatting and reinstalling
windows and everything else, after doing forensic investigation to determine
how it was hacked and what data or other systems were compromised.
> 3. I'm running certificate services so users can download certificates
> using their browsers? Does this require script execution? If not, can I
> turn off script permissions on the web server?
I doubt it has to do with script execution. Execute permissions should be
removed from all folders not containing executable script, by following the
securing IIS checklists from Microsoft which can be found at:
http://securityadmin.info/faq.htm#11.12
http://securityadmin.info/faq.htm#harden
[and while you're there, follow the other recommendations in that list to
secure your server]
> 4. Can anyone point me to a site which gives a thorough explanation of
> IIS log entries?
I haven't found a good comprehensive site, but here's a start:
http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs
www.iisfaq.com [answers to lots of your IIS questions]
www.google.com
www.google.com/advanced_group_search
> 2002-11-26 01:37:49 62.212.107.69 - AAA.BBB.CCC.DDD 80 HEAD
> /iisstart.asp - 200 -
This shows me that your iisstart.asp file is still on your server,
advertising to the world that you're running an unsecured Windows / IIS
server. This can increase the number of scans run on your system. I'm also
guessing you haven't also deleted the other vulnerable sample scripts that
come with IIS. More info in the securing checklists at the URL listed
above. If you don't have it yet, you also need IISlockdown which includes
URLScan, which blocks most of these scans.
Above all, note that security is not just patches... it's other things,
including proper configuration, and file permissions, and third party tools
to add additional security features. For example, check out the File
Integrity Checker which is free from www.gfi.com
For more information about HTTP error / status codes:
http://www.bigblock.com/support/wri_http.htm
- Next message: David Chadwick: "IIS 6.0 / ASP not enabled"
- Previous message: Tony Covey: "Re: IIS log entries"
- In reply to: Sam Critchley: "IIS log entries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
