IIS Server Security - Funky Log entry

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > January 2004 > Funky Log entry





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Funky Log entry
Joseph

2004-01-24, 2:01 am

Found this followed by a 404 what is it?
default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXX%u9 090%u6858%
ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0 003%u8b00%u531b%u53ff%
u0078%u0000%u00=a

thanks Joseph
Martin Cline

2004-01-24, 2:01 am

CodeRed worm or some version of it.
Ok, now what do these mean GET /<Rejected-By-UrlScan> 404
Microsoft-WebDAV-MiniRedir/5.1.2600

"Joseph" <anonymous@discussions.microsoft.com> wrote in message
news:0df601c3df15$11cef930$a401280a@phx.gbl...
quote:

> Found this followed by a 404 what is it?
> default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXX%u9 090%u6858%
> ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0 003%u8b00%u531b%u53ff%
> u0078%u0000%u00=a
>
> thanks Joseph



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.560 / Virus Database: 352 - Release Date: 1/8/2004


Bernard

2004-01-24, 2:01 am

It mean, urlscan has blocked the request.
checkout - %windir%/system32/inetsrv/urlscan/urlscanxxxxxx.log
to see what's been blocked.

--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...



"Martin Cline" <cline38@hotmail.com> ????
news:eh2u8kx3DHA.484@TK2MSFTNGP10.phx.gbl...
quote:

> CodeRed worm or some version of it.
> Ok, now what do these mean GET /<Rejected-By-UrlScan> 404
> Microsoft-WebDAV-MiniRedir/5.1.2600
>
> "Joseph" <anonymous@discussions.microsoft.com> wrote in message
> news:0df601c3df15$11cef930$a401280a@phx.gbl...
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.560 / Virus Database: 352 - Release Date: 1/8/2004
>
>



Martin Cline

2004-01-24, 2:01 am

I know the urlscan part but where is this come from
"Microsoft-WebDAV-MiniRedir/5.1.2600"
Every 15 mins for about two hours then stops...

"Bernard" <qbernard@hotmail.com.discuss> wrote in message
news:uakETvx3DHA.1052@TK2MSFTNGP12.phx.gbl...
quote:

> It mean, urlscan has blocked the request.
> checkout - %windir%/system32/inetsrv/urlscan/urlscanxxxxxx.log
> to see what's been blocked.
>
> --
> Regards,
> Bernard Cheah
> http://support.microsoft.com/
> Please respond to newsgroups only ...
>
>
>
> "Martin Cline" <cline38@hotmail.com> ????
> news:eh2u8kx3DHA.484@TK2MSFTNGP10.phx.gbl...
>
>



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.560 / Virus Database: 352 - Release Date: 1/8/2004


Bernard

2004-01-24, 2:01 am

This is webdav client query. you can check IP of such request.
I have seen XP with webdav when contacted IIS, you will see such log.

also there's an exploint about this WebDav -
http://www.microsoft.com/technet/tr...in/ms03-007.asp
ensure your machine is patch up to date.

--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...



"Martin Cline" <cline38@hotmail.com> ????
news:O$VQYzx3DHA.2528@TK2MSFTNGP10.phx.gbl...
quote:

> I know the urlscan part but where is this come from
> "Microsoft-WebDAV-MiniRedir/5.1.2600"
> Every 15 mins for about two hours then stops...
>
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:uakETvx3DHA.1052@TK2MSFTNGP12.phx.gbl...
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.560 / Virus Database: 352 - Release Date: 1/8/2004
>
>



Joseph

2004-01-24, 2:01 am

I thank you I was using webdav to try and publish but it
wouldnt work. I then corected the problem. So what does
this appear to be safe or infected? I used Virus scan and
nothing found.
Thanks guys/Girls
quote:

>-----Original Message-----
>This is webdav client query. you can check IP of such

request.
quote:

>I have seen XP with webdav when contacted IIS, you will

see such log.
quote:

>
>also there's an exploint about this WebDav -
>http://www.microsoft.com/technet/treeview/default.asp?

url=/technet/security/bulletin/ms03-007.asp
quote:

>ensure your machine is patch up to date.
>
>--
>Regards,
>Bernard Cheah
>http://support.microsoft.com/
>Please respond to newsgroups only ...
>
>
>
>"Martin Cline" <cline38@hotmail.com> ????
>news:O$VQYzx3DHA.2528@TK2MSFTNGP10.phx.gbl...
message[QUOTE][color=darkred]
windir%/system32/inetsrv/urlscan/urlscanxxxxxx.log[QUOTE][color=darkred]
UrlScan> 404[QUOTE][color=darkred]
wrote in message[QUOTE][color=darkred]
090%u6858%[QUOTE][color=darkred]
ucbd3%[QUOTE][color=darkred]
u53ff%[QUOTE][color=darkred]
(http://www.grisoft.com).[QUOTE][color=darkred]
Date: 1/8/2004[QUOTE][color=darkred]
(http://www.grisoft.com).[QUOTE][color=darkred]
1/8/2004[QUOTE][color=darkred]
>
>
>.
>

Joseph

2004-01-24, 2:01 am

I cannot find this on my server I find all the way to
intsrv but no urlscan
quote:

>-----Original Message-----
>I know the urlscan part but where is this come from
>"Microsoft-WebDAV-MiniRedir/5.1.2600"
>Every 15 mins for about two hours then stops...
>
>"Bernard" <qbernard@hotmail.com.discuss> wrote in message
>news:uakETvx3DHA.1052@TK2MSFTNGP12.phx.gbl...
windir%/system32/inetsrv/urlscan/urlscanxxxxxx.log[QUOTE][color=darkred]
UrlScan> 404[QUOTE][color=darkred]
in message[QUOTE][color=darkred]
090%u6858%[QUOTE][color=darkred]
ucbd3%[QUOTE][color=darkred]
u53ff%[QUOTE][color=darkred]
(http://www.grisoft.com).[QUOTE][color=darkred]
Date: 1/8/2004[QUOTE][color=darkred]
>
>
>---
>Outgoing mail is certified Virus Free.
>Checked by AVG anti-virus system (http://www.grisoft.com).
>Version: 6.0.560 / Virus Database: 352 - Release Date:

1/8/2004
quote:

>
>
>.
>

Bernard

2004-01-28, 8:34 pm

If you used webdav to publish, I believe those verbs will appear in the log
file. as long as it's from a valid source IP, I guess you are safe.. Next
try deploy urlscan and customize it to suite your needs.

--
Regards,
Bernard Cheah
http://support.microsoft.com/
Please respond to newsgroups only ...



"Joseph" <anonymous@discussions.microsoft.com> ????
news:0a0101c3df68$9c4d4b90$a301280a@phx.gbl...[QUOTE][color=darkred]
> I thank you I was using webdav to try and publish but it
> wouldnt work. I then corected the problem. So what does
> this appear to be safe or infected? I used Virus scan and
> nothing found.
> Thanks guys/Girls
> request.
> see such log.
> url=/technet/security/bulletin/ms03-007.asp
> message
> windir%/system32/inetsrv/urlscan/urlscanxxxxxx.log
> UrlScan> 404
> wrote in message
> 090%u6858%
> ucbd3%
> u53ff%
> (http://www.grisoft.com).
> Date: 1/8/2004
> (http://www.grisoft.com).
> 1/8/2004


David Martin

2004-01-29, 12:35 am

Then I think you must have specified a differing install path - search for
urlscan.ini - the logs should be in a sub folder (if not the log path with
be contained in the ini file.

Regards Dave,

"Joseph" <anonymous@discussions.microsoft.com> wrote in message
news:12a601c3df69$ddbdcef0$a401280a@phx.gbl...[QUOTE][color=darkred]
> I cannot find this on my server I find all the way to
> intsrv but no urlscan
> windir%/system32/inetsrv/urlscan/urlscanxxxxxx.log
> UrlScan> 404
> in message
> 090%u6858%
> ucbd3%
> u53ff%
> (http://www.grisoft.com).
> Date: 1/8/2004
> 1/8/2004


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com