|
|
repeated entries with multiple '&'s in URI query of GETs in IIS l ogs: msg#00038security.intrusions
I have found the following pattern on 2 different occasions, with different referrers: the URI query part of a GET request is 0 to 5 '&' characters. The pattern repeats 20 - 30 times in each log. I'm wondering if this is some kind of attack/probe, or just some odd behavior by the referrer. The server is IIS, here is the log format - #Software: Microsoft Internet Information Services 5.0 #Version: 1.0 #Date: 2004-04-13 04:00:03 #Fields: date time c-ip cs-username cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-host cs(User-Agent) cs(Cookie) cs(Referer) Log exerpt with pattern shown once - 2004-05-08 19:18:57 152.163.253.39 - GET /Default.asp & 302 0 www001.staples.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1;+.NET+CLR+1.1.432 2) - http://www2.seek2.com/metaisapi.dll?i=21822&seek=printer+ink+cartridges .dll 2004-05-08 19:18:57 152.163.253.40 - GET /Default.asp && 302 0 www001.staples.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1;+.NET+CLR+1.1.432 2) - http://www2.seek2.com/metaisapi.dll?i=21822&seek=printer+ink+cartridges .dll 2004-05-08 19:18:57 152.163.253.98 - GET /Default.asp &&& 302 0 www001.staples.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1;+.NET+CLR+1.1.432 2) - http://www2.seek2.com/metaisapi.dll?i=21822&seek=printer+ink+cartridges .dll 2004-05-08 19:18:58 152.163.253.99 - GET /Default.asp &&&& 302 0 www001.staples.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1;+.NET+CLR+1.1.432 2) - http://www2.seek2.com/metaisapi.dll?i=21822&seek=printer+ink+cartridges .dll 2004-05-08 19:18:58 152.163.252.195 - GET /Default.asp - 302 0 www001.staples.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1;+.NET+CLR+1.1.432 2) - http://www2.seek2.com/metaisapi.dll?i=21822&seek=printer+ink+cartridges Thanks, Jim Jim Weiler _______________________________________________ Intrusions mailing list Intrusions@xxxxxxxxxxxxxx http://www.dshield.org/mailman/listinfo/intrusions |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | [LOGS] Summary of large-scale portscanning detects: 00038, Ken . Connelly |
|---|---|
| Next by Date: | strange mail connections: 00038, lola marais |
| Previous by Thread: | Agobot WebDAV exploit crashing patched NT4 IISi: 00038, Jon Hedlund |
| Next by Thread: | strange mail connections: 00038, lola marais |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |