I was reviewing my IIS logs and noticed a single IP accessing the same file multiple times within seconds of each other. There are other IP addresses that do the same and cannot figure out why this is happening. This is on a closed network and thought maybe it was a Google Search indexing but they are not GSA's. One request lasted 6 mins and up to ~100 requests within that time period. Their browser agent are what a normal browser would be also. The servers are setup on a cluster with only two servers set to passive/active I believe.
cfwebdeveloper
9
Junior Poster in Training
Recommended Answers
Jump to PostCan you please describe the functionality of this file?
All 4 Replies
lasitha2005d
0
Junior Poster in Training
Can you please describe the functionality of this file?
cfwebdeveloper
9
Junior Poster in Training
The IIS log file logs all web activity, gets to images, html pages, whatever is needed to make the page view correctly. So if I had an html page with 2 images and 2 javascript files inside it, there will be a total of 5 calls therefore 5 logged events.
IP address of remote user
website url/location
when it was accessed etc
cfwebdeveloper
9
Junior Poster in Training
If you are talking about the file they are accessing lol, it is a pdf file.
lasitha2005d
0
Junior Poster in Training
Yes that is what exactly I was asking (not about the log file). So you are using an asp or asp.net page? Is there any possibility that the users use Outlook to download the file? It fires up such events. Can this pdf file be downloaded without errors? Have you correctly coded the Handles in the page? Is the download done with variable bits? What do you mean by a closed network? No one able to access the IIS from outside?
If non of these are giving errors:
May be a DDOS as well or an SQLI (since you do not run any indexers or robots to do the indexing).
Cannot say exactly what the cause without viewing logs. So I recommend to run the LogParser to identify and filter the threat.
a good article on this:
http://www.symantec.com/connect/articles/forensic-log-parsing-microsofts-logparser
You have to patch the adobe plugins and configure extensions to mitigate the attacks. Make sure there are no scripts or cookie scripts which are from outside (and no Trojans inside the server of course... )
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.