someone-somewhere
asked on
Need help with an IIS log - was someone snooping around?
I enabled the IIS on my windows 7 desktop just so that my coworkers can download a file there (i.e. just one simple home page with a link to a file), and because it was a small group I gave them the IP address for them to visit (http://..). I do have a firewall on my computer (Norton) so I thought it should be okay. The traffic is generally very slim but I just noticed that yesterday's log file was larger than usual, so I checked it out. If it helps I can upload the log file, but under the column "cs-uri-stem" I saw a lot of folders that should not be accessible through the IIS (i.e. not in the WWWroot) like
/D$
/D$/Folder1/
/D$/Folder1/Folder2/
/D$/Folder1/Folder2/Folder 3
/D$/Folder1/Folder2/Folder 3/Folder4
and one of these is a folder that I have not accessed for quite a long time -- definitely not that day.
cs(user-agent) is
Microsoft-WebDAV-MiniRedir /6.1.7601
cs-host is
localhost
c-ip is
::1
sc-bytes and cs-bytes are pretty small, with a max of 5000 across rows.
sc-status is 200 for one (one folder), and 404 for all others.
cs-method has one entry of "option" and a lot of entries of "PROPFIND"
Is this something I should be worried about? I have since disabled the IIS and cut off the computer from the internet and will try to get a different IP next time.
Thanks very much!
/D$
/D$/Folder1/
/D$/Folder1/Folder2/
/D$/Folder1/Folder2/Folder
/D$/Folder1/Folder2/Folder
and one of these is a folder that I have not accessed for quite a long time -- definitely not that day.
cs(user-agent) is
Microsoft-WebDAV-MiniRedir
cs-host is
localhost
c-ip is
::1
sc-bytes and cs-bytes are pretty small, with a max of 5000 across rows.
sc-status is 200 for one (one folder), and 404 for all others.
cs-method has one entry of "option" and a lot of entries of "PROPFIND"
Is this something I should be worried about? I have since disabled the IIS and cut off the computer from the internet and will try to get a different IP next time.
Thanks very much!
ASKER
Hi xmlmagician,
Yes usually that's what I do but there were reasons to do so. The computer is behind a corporate firewall (for our building), so it is open to the public, but only to those who are inside.
Yes usually that's what I do but there were reasons to do so. The computer is behind a corporate firewall (for our building), so it is open to the public, but only to those who are inside.
The paths you are showing are administrative share paths on your PC. \\ComputerName\d$ is essentially the root for the D drive on your computer.
IIS shouldn't serve those unless you have enabled some sort of directory listing. I don't think those are coming from IIS but from your local network. And judging from the IP whoever is accessing your computer from your network share is using IPv6. Most old firewalls don't work with IPv6, you might want to disable that on your network card.
IIS shouldn't serve those unless you have enabled some sort of directory listing. I don't think those are coming from IIS but from your local network. And judging from the IP whoever is accessing your computer from your network share is using IPv6. Most old firewalls don't work with IPv6, you might want to disable that on your network card.
cool, i will respect that and i will not ask you for the reasons.
i would say that something went on to your pc and a look in the event viewer might give you the answer. look into your security section of it and see if they were any failed attempts to login to your machine.
i will run malwarebytes and your antivirus just to be on the safe side
i would say that something went on to your pc and a look in the event viewer might give you the answer. look into your security section of it and see if they were any failed attempts to login to your machine.
i will run malwarebytes and your antivirus just to be on the safe side
Why do you have webdav enabled? Not needed in this scenario, as described.
I do have a firewall on my computer (Norton) so I thought it should be okay. and what is its setting for port 80 tcp (http) requests? All Ip Addresses? You probably just want it to allow your local subnet.
I do have a firewall on my computer (Norton) so I thought it should be okay. and what is its setting for port 80 tcp (http) requests? All Ip Addresses? You probably just want it to allow your local subnet.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi folks,
Thanks a lot for responding to my question. To answer some of the questions / issues mentioned in your responses -
1. I did not enable WebDav and that's what made me wonder. I only added IIS as an additional feature and used the default options. Going through the features just now, I saw that "directory browsing" was checked by default, so I turned it off. But even with it on, the folder paths that I described earlier are on a different disk than WWW-root, and that's what bothered me.
2. To answer ve3ofa (thanks for your response by the way), the IP filter wasn't installed by default, but I just enabled that. Thanks for the tip.
3. To breadtan: thanks for the detailed links. So, is it true that once they use Webdav redirector, their IP will be logged by IIS as my own machine?
4. I checked the "event viewer" and didn't see much there; under "security", unfortunately the earliest entry was the beginning of today.
What I really want to know is whether, by using Webdav redirector, they were able to do more than browsing the directories, and if they copied any files from the directories, etc.. Does the 404 error in the IIS log mean that they tried but wasn't successful?
Thanks for your patience with this -- I am not a web server administrator, and while I was a bit nervous when giving out the IP address, I thought it was just a small group of people that'd have access to it. I want to determine if this is nothing to worry about, or if I should bring this up to the IT staff who specializes in security issues.
Thanks a lot for responding to my question. To answer some of the questions / issues mentioned in your responses -
1. I did not enable WebDav and that's what made me wonder. I only added IIS as an additional feature and used the default options. Going through the features just now, I saw that "directory browsing" was checked by default, so I turned it off. But even with it on, the folder paths that I described earlier are on a different disk than WWW-root, and that's what bothered me.
2. To answer ve3ofa (thanks for your response by the way), the IP filter wasn't installed by default, but I just enabled that. Thanks for the tip.
3. To breadtan: thanks for the detailed links. So, is it true that once they use Webdav redirector, their IP will be logged by IIS as my own machine?
4. I checked the "event viewer" and didn't see much there; under "security", unfortunately the earliest entry was the beginning of today.
What I really want to know is whether, by using Webdav redirector, they were able to do more than browsing the directories, and if they copied any files from the directories, etc.. Does the 404 error in the IIS log mean that they tried but wasn't successful?
Thanks for your patience with this -- I am not a web server administrator, and while I was a bit nervous when giving out the IP address, I thought it was just a small group of people that'd have access to it. I want to determine if this is nothing to worry about, or if I should bring this up to the IT staff who specializes in security issues.
the 404 is page not found response
ASKER
Hi ve3ofa,
Thanks for your reply. Yes, so if I understand it correctly, when the client tried to access that folder or file he got a 404 error. Am I correct? Here are the first three lines of the ISS log, along with the header; can you help me take a look and see if there's anything suspicious?
date time cs-method cs-uri-stem cs-uri-query cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
3/29/2013 22:15:38 OPTIONS /D$/Folder1/Folder2 - - ::1 Microsoft-WebDAV-MiniRedir /6.1.7601 - - localhost 200 0 0 183 171 505
3/29/2013 22:15:38 PROPFIND /D$/Folder1/Folder2 - - ::1 Microsoft-WebDAV-MiniRedir /6.1.7601 - - localhost 404 0 2 5420 201 56
3/29/2013 22:15:38 PROPFIND /D$/Folder1 - - ::1 Microsoft-WebDAV-MiniRedir /6.1.7601 - - localhost 404 0 2 5384 183 2
Thanks for your reply. Yes, so if I understand it correctly, when the client tried to access that folder or file he got a 404 error. Am I correct? Here are the first three lines of the ISS log, along with the header; can you help me take a look and see if there's anything suspicious?
date time cs-method cs-uri-stem cs-uri-query cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
3/29/2013 22:15:38 OPTIONS /D$/Folder1/Folder2 - - ::1 Microsoft-WebDAV-MiniRedir
3/29/2013 22:15:38 PROPFIND /D$/Folder1/Folder2 - - ::1 Microsoft-WebDAV-MiniRedir
3/29/2013 22:15:38 PROPFIND /D$/Folder1 - - ::1 Microsoft-WebDAV-MiniRedir
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
is your IIS available to the public? can i say would not be easier and safer to upload the file to something like skydrive and give them the link?