On Wed, 1 Oct 2003 12:01:33 -0700, "onlyabill" <none DeleteThis @hotmail.com>
wrote:
>I have a hosted web site that is running under IIS 5.0 on
>a remote server. I have access to the logs for my site
>(s). I have been reviewing the log files and see a
>unusual set of entries that I can not fine any information
>on. Any help determining what is going on is
>appreciated...
>
>This usually appears as a set of three commands as follows:
>- a GET for a page as in GET /{page name}
>- a SEARCH as in SEARCH /
>- a SEARCH as in SEARCH /{bunch of stuff}
>
>The {bunch of stuff} is:
>- 269 'A's followed by
>- 8 sets of '??{single unprintable character}' followed by
>- 33 '?' followed by
>- 260 lower case letters followed by
>- 3421 'N'
>
>Can anyone tell me what is going on here? What this stuff
>might be? I will see this suff in the logs multiple times
>a day and at some points multiple times a minute!
>
>I have looked in some IIS books and they indicate that the
>SEARCH command is for a news server. I am not running
>one. Thoughts? Ideas? Information?
Nimda and varients, as well as scripted attacks. Make sure your
server is patched and hardened, use URLScan to deny the requests.
<a style='text-decoration: underline;' href="http://www.microsoft.com/security/" target="_blank">http://www.microsoft.com/security/</a>
<a style='text-decoration: underline;' href="http://securityadmin.info/" target="_blank">http://securityadmin.info/</a>
Jeff<!-- ~MESSAGE_AFTER~ -->
>> Stay informed about: IIS 5.0 log file contents question... 
FAQ
Profile
Private Messages
Log in
