0

I was reviewing my IIS logs and noticed a single IP accessing the same file multiple times within seconds of each other. There are other IP addresses that do the same and cannot figure out why this is happening. This is on a closed network and thought maybe it was a Google Search indexing but they are not GSA's. One request lasted 6 mins and up to ~100 requests within that time period. Their browser agent are what a normal browser would be also. The servers are setup on a cluster with only two servers set to passive/active I believe.

2
Contributors
4
Replies
5
Views
6 Years
Discussion Span
Last Post by lasitha2005d
0

The IIS log file logs all web activity, gets to images, html pages, whatever is needed to make the page view correctly. So if I had an html page with 2 images and 2 javascript files inside it, there will be a total of 5 calls therefore 5 logged events.

IP address of remote user
website url/location
when it was accessed etc

0

Yes that is what exactly I was asking (not about the log file). So you are using an asp or asp.net page? Is there any possibility that the users use Outlook to download the file? It fires up such events. Can this pdf file be downloaded without errors? Have you correctly coded the Handles in the page? Is the download done with variable bits? What do you mean by a closed network? No one able to access the IIS from outside?
If non of these are giving errors:
May be a DDOS as well or an SQLI (since you do not run any indexers or robots to do the indexing).
Cannot say exactly what the cause without viewing logs. So I recommend to run the LogParser to identify and filter the threat.
a good article on this:
http://www.symantec.com/connect/articles/forensic-log-parsing-microsofts-logparser
You have to patch the adobe plugins and configure extensions to mitigate the attacks. Make sure there are no scripts or cookie scripts which are from outside (and no Trojans inside the server of course... )

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.