Solved

what are these people doing? sample WINNT\system32\LogFiles\W3SVC1 - 21:40:48 66.19.101.21 SEARCH / 411

Posted on 2004-04-12
5
1,116 Views
Last Modified: 2007-12-19
i keep getting this on my logfiles everyday but i dont know what they are trying to do. hacking? yes, hacking what?
what are they trying to do? what purpose?
i look up for what the numbers means
200 OK Action complete successfully
411 Length Required
anyone please tell what they are trying to accomplish?

c:WINNT\system32\LogFiles\W3SVC1
11:11:35 217.217.61.224 GET / 200
11:11:37 217.217.61.224 SEARCH / 411
11:12:45 166.127.1.35 GET / 200
11:12:45 166.127.1.35 SEARCH / 411
11:59:52 210.78.92.206 GET / 200
11:59:52 210.78.92.206 SEARCH / 411
12:41:08 219.164.105.247 GET / 200
12:41:08 219.164.105.247 SEARCH / 411
13:00:45 218.75.12.38 GET / 200
13:00:45 218.75.12.38 SEARCH / 411
13:22:32 219.140.22.18 GET / 200
13:22:32 219.140.22.18 SEARCH / 411
14:20:00 80.58.14.44 GET / 200
14:20:02 80.58.14.44 SEARCH / 411
14:58:08 82.64.242.68 GET / 200
14:58:09 82.64.242.68 SEARCH / 411
15:11:28 202.156.2.50 GET / 200
15:11:28 202.156.2.50 SEARCH / 411
15:23:26 218.87.77.34 GET / 200
15:23:26 218.87.77.34 SEARCH / 411
15:25:27 219.118.17.127 GET / 200
15:25:27 219.118.17.127 SEARCH / 411
15:35:22 61.160.28.210 GET / 200
15:35:26 61.160.28.210 SEARCH / 411
15:46:29 80.44.120.67 GET / 200
15:46:30 80.44.120.67 SEARCH / 411
16:09:30 81.70.153.25 GET / 200
16:09:30 81.70.153.25 SEARCH / 411
16:35:00 219.78.179.119 GET / 200
16:35:00 219.78.179.119 SEARCH / 411
16:47:04 128.58.76.33 GET / 200
16:47:06 128.58.76.33 SEARCH / 411
17:08:08 220.166.116.249 GET / 200
17:08:08 220.166.116.249 SEARCH / 411
17:15:56 165.21.154.12 GET / 200
17:24:51 83.152.169.227 GET / 200
17:24:52 83.152.169.227 SEARCH / 411
17:52:55 81.60.158.11 GET / 200
17:52:56 81.60.158.11 SEARCH / 411
18:28:53 81.129.6.177 GET / 200
18:28:53 81.129.6.177 SEARCH / 411
20:03:03 218.26.219.195 GET / 200
20:03:03 218.26.219.195 SEARCH / 411
20:41:47 80.58.11.45 GET / 200
20:41:48 80.58.11.45 SEARCH / 411
20:59:29 80.58.3.42 GET / 200
20:59:48 80.58.3.42 SEARCH / 411
21:08:34 219.156.126.3 GET / 200
21:08:34 219.156.126.3 SEARCH / 411
21:40:44 66.19.101.21 GET / 200
21:40:48 66.19.101.21 SEARCH / 411
21:53:01 219.110.38.47 GET / 200
21:53:05 219.110.38.47 SEARCH / 411
22:01:05 210.50.52.146 GET / 200
22:01:09 210.50.52.146 SEARCH / 411
22:13:53 65.246.148.253 GET / 200
22:13:53 65.246.148.253 SEARCH / 411
22:48:30 4.37.216.48 GET / 200
22:48:30 4.37.216.48 SEARCH / 411
23:22:48 218.225.135.67 GET / 200
23:22:50 218.225.135.67 SEARCH / 411
23:56:01 68.251.64.171 GET / 200
23:56:01 68.251.64.171 SEARCH / 411
0
Comment
Question by:Jerry_Pang
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10811175
I think they are trying to exploit an old bug in the .ida search module. But it is also possible ofcourse that your search command has a restriction on the input of the string meaning that if I do a search on your webserver with a string that is to short or a blank.
0
 
LVL 9

Author Comment

by:Jerry_Pang
ID: 10811434
bug? where can read more info about this?
0
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 10813310
i would suggest securityfocus.com and search for .idq and .ida issues but what version of IIS are you running?
Your input is rather poor to give a concrete answer to your problem.
0
 
LVL 9

Author Comment

by:Jerry_Pang
ID: 10819431
sorry but this is the only info i have. i just wan to know what these ip are trying to do at my pc.
like this one
68.251.64.171 GET / 200
68.251.64.171 SEARCH / 411

i also search in google for .idq and .ida issues
found this one
http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx
0
 
LVL 6

Accepted Solution

by:
bloemkool1980 earned 50 total points
ID: 10820703
Well you should have more information because a get and Search are standard commands. Without the complete url and the file they access it is obsolete and very hard to have an idea what they do.
I just assume it is web vulnerability scanner running against your site doing pretty much standard things and nothing really to worry about.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question