Re: mysterious entry in URLScan log files

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 02/08/04

• Next message: Bernard: "Re: Security Patch included in Windows Update"
• Previous message: David Wang [Msft]: "Re: IIS 6 Security Problem"
• In reply to: Jon Greene: "mysterious entry in URLScan log files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sat, 7 Feb 2004 21:02:01 -0800

The claimed IP is not necessarily trusted since IP can be spoofed.

I can say is that you are either modifying or removing the Server: header
from the response, and someone/thing sent you a request that was not HTTP
1.0 or HTTP 1.1 as parsed by IIS. Request such as:
GET / \r\n
\r\n

There are HW out there which sends this exact request and expect a 200; I'm
not certain if it applies in your case.

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jon Greene" <jon321@GreeneNOSPAMEnterprisesWI.com> wrote in message
news:uP1L2UZ7DHA.3024@tk2msftngp13.phx.gbl...
Hi all,
I just happened to be scanning through my urlscan logs when I stumbled on
some strange (to me anyway) entries.  The originating ip address is
127.0.0.1 (localhost) and the errors are all the same -
[01-30-2004 - 18:07:20] Client at 127.0.0.1: Received a malformed request
which resulted in error 50 while modifying the 'Server' header. Request will
be rejected with a 400 response.
Does this mean there is something on my machine that is incorrectly trying
to access the webserver (IIS 5.1 on XP Pro)?  Or is this a normal error?  I
went back a month and a half and it showed up 6 times on different days.
Nothing matched up in my firewall logs to the time of the errors.
Any insight into this would be very appreciated.
TIA,
Jon

---

• Next message: Bernard: "Re: Security Patch included in Windows Update"
• Previous message: David Wang [Msft]: "Re: IIS 6 Security Problem"
• In reply to: Jon Greene: "mysterious entry in URLScan log files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: About http method trace track options in IIS4 ... I doubt URLScan will have any noticable affect on the performance of your ... "translate:" header because it sometimes causes lots of urlscan logging you ... request. ... of allowed parts of requests reaching the server. ... (microsoft.public.inetserver.iis.security) Re: [Full-Disclosure] DoS in Apache 2.0.52 ? ... OpenSSL/0.9.7c DAV/2 PHP/4.3.4 Server. ... >> lot of CPU usage and hangs the webserver. ... >> considers it as an extension to the previous line header. ... That fix was for the long request field header when the ... (Full-Disclosure) Re: URLScan and Server Variables - ASP.NET ... server variable to hold my virtual Directory Name - VirDir. ... Request will be rejected. ... used to specify a replacement for IIS's built in 'Server' header ... Maps to webhits.dll, part of Index Server ... (microsoft.public.inetserver.iis.security) Re: Cant see Plows messages ... When you request that header the server then searches ... Google Groups treats this request by ... (alt.guitar) Re: Apache webserver ... Do you have a complete example of persistance using the Apace server? ... request arguments, for example, each request type has an ACTION field ... So the CGI program function) is just a big switch. ... Then the mainprepend the output the header to ... (comp.sys.ibm.as400.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.inetserver.iis.security  > 2004-02