Security Incidents mailing list archives
IIS logs -- A little off topic
From: "Portnoy, Gary" <gportnoy () belenosinc com>
Date: Wed, 1 Aug 2001 14:30:53 -0400
Hi there, With all this CodeRed generated activity I just realized something: If I am using host headers in IIS, and somebody makes a connection to an IP address and attempts to overflow the Index server, it isn't going to be logged anywhere. Each website residing on a computer has a unique host header and is logging to a unique log directory. I don't have a website associated to the IP address, hence, even though the connection can be established (SYN, SYN/ACK, ACK), the request will get an error. This is both good and bad, it's good in the respect that even though my servers could be vulnerable, if you aren't including a host header in your request, you'll get an error, and most scanners just use straight IP address. It's bad in the respect that I have no clue who is trying what against my server because it's not logging it. I noticed the similar behavior when sadmin worm was going around and it would attempt to "GET x" to determine the type of the server. Apache would log it, but not IIS, though it had to do with the fact that for some reason IIS doesn't like "GET x", it needs the '/'. "GET /x" would be logged. I suspect this is a little different, but it's related to the fact that IIS doesn't have a 'default' or 'error' log. How are others dealing with this? Whew, that was a long post... -Gary- Gary Portnoy Network Administrator gportnoy () belenosinc com PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- IIS logs -- A little off topic Portnoy, Gary (Aug 01)