Re: IIS log files and how to locate if the client is trying to infect my web server
From: Jeff Cochran (jcochran.nospam_at_naplesgov.com)
Date: 05/11/04
- Next message: Bummer: "RE: about:blank SPYWARE... help me!!!"
- Previous message: Issac Goldstand: "IIS 6.0 cgi process not running as same user as worker process?"
- In reply to: Jeremy Smith: "IIS log files and how to locate if the client is trying to infect my web server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 May 2004 20:38:54 GMT
On 11 May 2004 09:20:38 -0700, godtoall@hotmail.com (Jeremy Smith)
wrote:
>I know how to find Nimda and Code Red, but was curious if their is a
>complete list of all of the viruses that can be found in th IIS Log
>files.
You can't find viruses, only specific requests. Nimda/Code Red
requests have a unique signature, but you don't see the virus, you
only see the results of someone's system infected with the virus
attacking you.
Analyzing the logs *can* help with spotting attacks, and the keys to
look for are the 404 and 500 errors for unsuccessful ones, and
requests for cmd.exe with a 200 result, which may have been
successful.
Of course, since you're using the IIS Lockdown Tool and URLScan, you
won't see any of those... :)
Jeff
- Next message: Bummer: "RE: about:blank SPYWARE... help me!!!"
- Previous message: Issac Goldstand: "IIS 6.0 cgi process not running as same user as worker process?"
- In reply to: Jeremy Smith: "IIS log files and how to locate if the client is trying to infect my web server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
