Re: IIS Log exactly 65.536 bytes ???

To throw in a quick tidbit of information, when IIS starts a new logfile, the size is 64KB, even though the rest of the file is 'empty'. The reason for this is for performance purposes. The filesystem doesn't keep getting requests to increase the size of a file every time a http request occurs and the log file doesn't get half as fragmented as it might.

The freezing situation you describe when viewing logfiles over TS is obviously bad, but as to what the cause is I can't say.

As for new file creation/modify times being the same frequently, it depends on how busy the website in question is. The file modify date of the file changes when the first hit of the next day occurs. IIS cuts the slack from the old log file and starts a new one. Personally I'm finding it odd that your 'not suspicious' logfiles are created at exactly 1am and your 'suspicious' files have different timestamps :)

The timestamps on a website I run (legolas.com) which doesn't get much traffic, but enough to keep the weblogs ticking over, the modify dates are anything from 00:00 to 00:49, and the creation date of the previous logfile. The last entry of the previous logfile is anything up to 23:59.

I'd advise some general checking for a potential compromise on your machine (the sort of checking that should be done on a regular, but not particularly often, basis). Things like checking AT job listings, key binary comparisons, user listings, netstat output checks, etc.

Could some of this behaviour be the result of using URLscan? I don't know, never used it, as it seems like one of those 'closing the door after the horse has bolted' security safeguards :)

-- 
Mike Coppins
mike@legolas.com
http://www.legolas.com/