Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ms > 03 > 030456.html (Request Expert securityfocus.com Support)

Re: Logging mechanism in IIS (was RE: code red---- on system that is already (and has been) patched)

From: Ken Schaefer <ken(at)adOpenStatic.com>
Date: Tue Mar 04 2003 - 20:40:58 EST

I concur with Keith (but I could be wrong...)

In the case of buffer overflow attacks (/not/ Sadmind etc that used Unicode traversal to get to cmd.exe) a successful attack should result in nothing in the IIS logs.

Attacks like Sadmind which use traversal will be logged either way. 404 if cmd.exe can't be found and 200 if cmd.exe can be found (subject, possibly, to the qualification wrt to sites that have custom 404 pages which someone else mentioned).

Cheers
Ken


From: "Turner, Keith (Contractor)" <Keith.Turner@tea.army.mil> Subject: Logging mechanism in IIS (was RE: code red---- on system that is already (and has been) patched)

:
: I believe this to be true, someone please correct me if it is not.
successfully,
: some other code starts executing and therefore, IIS never gets a chance to
context
: of a worm, as it normally represents the successful execution of the
attack
: command. In this case, however, the code 200 is inconclusive and does not
Received on Wed Mar 5 12:19:01 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:27 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library