Hello everyone!

I've noticed in my log files the odd entry like the one shown below:

2004-04-15 01:16:51 168.XXX.XXX.XXX guest W3SVC340215 213.188.129.110 80
GET / - 401 5 1292 474 31 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - -

(I've obscured the IP address with XXX's)

All the other log entries show a - (hyphen) for the "cs-username" column
where as this shows someone logged in as "guest".

I'm guessing its at least a hack attempt of sorts but I'm slightly
concerned that the "guest" username is in the log and has presumably
logged in as this user.

FYI, this isn't my webserver. It is one being hosted by a fairly large
hosting company in Europe.

Thanks in advance!

Peter M.

[ Post a follow-up to this message ]

Peter Mumble wrote:

> Hello everyone!
>
> I've noticed in my log files the odd entry like the one shown below:
>
> 2004-04-15 01:16:51 168.XXX.XXX.XXX guest W3SVC340215 213.188.129.110 80
> GET / - 401 5 1292 474 31 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - -
>
> (I've obscured the IP address with XXX's)
>
> All the other log entries show a - (hyphen) for the "cs-username" column
> where as this shows someone logged in as "guest".
>
> I'm guessing its at least a hack attempt of sorts but I'm slightly
> concerned that the "guest" username is in the log and has presumably
> logged in as this user.
>
> FYI, this isn't my webserver. It is one being hosted by a fairly large
> hosting company in Europe.
>

And please don't anyone point out my stupid indiscretion... I'm still
kicking myself right now.

Anyway, the question still stands; I might just have to contact the host
rather sooner than I had intended!

[ Post a follow-up to this message ]

Hi,

nothing to worry about here. Some attempted to log in with the username of
guest, but the login attempt failed. I can see that it failed by the status
code of 401 and the substatus code of 5 (--->GET / - 401 5 1292 474 31
HTTP/1.1)

you can even duplicate this behavior by attempting to log in with a user
name or password that you know is not valid, you will receive the same type
of entry in your logs. But what if this happens if you're not using
authentication on your site? Still no big deal because the credentials are
being passed in the request header - your machine is most likely being
scanned for poorly secured servers.

hth

smk


"Peter Mumble" <peterm@example.com> wrote in message
news:%239zRkWIZEHA.2908@TK2MSFTNGP10.phx.gbl...
> Hello everyone!
>
> I've noticed in my log files the odd entry like the one shown below:
>
> 2004-04-15 01:16:51 168.XXX.XXX.XXX guest W3SVC340215 213.188.129.110 80
> GET / - 401 5 1292 474 31 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - -
>
> (I've obscured the IP address with XXX's)
>
> All the other log entries show a - (hyphen) for the "cs-username" column
> where as this shows someone logged in as "guest".
>
> I'm guessing its at least a hack attempt of sorts but I'm slightly
> concerned that the "guest" username is in the log and has presumably
> logged in as this user.
>
> FYI, this isn't my webserver. It is one being hosted by a fairly large
> hosting company in Europe.
>
> Thanks in advance!
>
> Peter M.

[ Post a follow-up to this message ]

srock wrote:

> Hi,
>
> nothing to worry about here. Some attempted to log in with the username of
> guest, but the login attempt failed. I can see that it failed by the statu
s
> code of 401 and the substatus code of 5 (--->GET / - 401 5 1292 474 31
> HTTP/1.1)
>
> you can even duplicate this behavior by attempting to log in with a user
> name or password that you know is not valid, you will receive the same typ
e
> of entry in your logs. But what if this happens if you're not using
> authentication on your site? Still no big deal because the credentials are
> being passed in the request header - your machine is most likely being
> scanned for poorly secured servers.
>
> hth
>

That is a *huge* relief!  Thanks srock!!

[ Post a follow-up to this message ]

Do you need/use the Guest account?

If not then confirm it has been disabled as well.

This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks!
~Andrew Davis
Microsoft PSS Security

--------------------
>Reply-To: "srock" <noone@localhost>
>From: "srock" <noone@localhost>
>References: <#9zRkWIZEHA.2908@TK2MSFTNGP10.phx.gbl>
>Subject: Re: "guest" appearing in IIS log files - hack attempt?
>Date: Wed, 7 Jul 2004 21:33:53 -0400
>Lines: 46
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>Message-ID: <e#pzptIZEHA.2408@tk2msftngp13.phx.gbl>
>Newsgroups: microsoft.public.inetserver.iis.security
>NNTP-Posting-Host: pcp04097893pcs.neave01.pa.comcast.net 68.81.192.198
>Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGXS01.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP0
8.phx.gbl!tk2msftngp13.phx.gbl
>Xref: cpmsftngxa06.phx.gbl microsoft.public.inetserver.iis.security:13193
>X-Tomcat-NG: microsoft.public.inetserver.iis.security
>
>Hi,
>
>nothing to worry about here. Some attempted to log in with the username of
>guest, but the login attempt failed. I can see that it failed by the status
>code of 401 and the substatus code of 5 (--->GET / - 401 5 1292 474 31
>HTTP/1.1)
>
>you can even duplicate this behavior by attempting to log in with a user
>name or password that you know is not valid, you will receive the same type
>of entry in your logs. But what if this happens if you're not using
>authentication on your site? Still no big deal because the credentials are
>being passed in the request header - your machine is most likely being
>scanned for poorly secured servers.
>
>hth
>
>smk
>
>
>"Peter Mumble" <peterm@example.com> wrote in message
>news:%239zRkWIZEHA.2908@TK2MSFTNGP10.phx.gbl... 
>
>
>

[ Post a follow-up to this message ]

Andrew Davis [MS] wrote:
> Do you need/use the Guest account?
>
> If not then confirm it has been disabled as well.
>

I don't need or use the Guest account. I would hope that the machine has
been secured correctly by the hosting company (its a shared hosting
account btw - I probably should've mentioned that).... but of course I
can't be sure of this!

[ Post a follow-up to this message ]