Re: Hackers trying to break into IIS

From: Jerry III (jerryiii_at_hotmail.com)
Date: 10/27/03


Date: Sun, 26 Oct 2003 23:00:52 -0800

As for why it shows up in the log - if you set IE (and other browsers) to
check their cached versions of files automatically they will send either a
HEAD request to get the modified date (and so on, there's more but that
would be too much detail for you) or send a regular GET request with
If-Unmodified-Since header or one of the other conditional headers (which
will get 304 response with no body if the file wasn't modified). To make a
long story short - those are not hackers.

Jerry

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:eHVnIsDnDHA.2456@TK2MSFTNGP09.phx.gbl...
> HEAD is a HTTP method that returns on the HTTP headers, not the entire
body.
>
> You can see the difference by using telnet.
>
> telnet>open www.yoursite.com 80
> HEAD /index.htm HTTP/1.1
> HOST: www.yoursite.com
> [enter]
> [enter]
>
> will return just the headers. Now, do the same, but replace HEAD with GET,
> and you'll see the headers and the HTTP body.
>
> Cheers
> Ken
>
> "Don Schultz" <Don@mail.syntaxcomputers.com> wrote in message
> news:031901c39c24$0e456350$a101280a@phx.gbl...
> : I had some hackers break into my web server when I was
> : running NT 4.0. I upgraded to 2000 and put URLScan on the
> : system and it appears to have stopped them but they
> : continue to try and gain access. Most often now they
> : simply give up after entering a command that looks like
> : this in the log file "HEAD /index.htm 200" the 200
> : indicates that they successfully retreived the index.htm,
> : which is just fine with me but what does the HEAD mean
> : and how are they going about trying to get this page
> : because none of the photos on the page are being sent to
> : them?
>
>