troubleshooting Question

Need help with an IIS log - was someone snooping around?

Avatar of someone-somewhere
someone-somewhere asked on
Microsoft IIS Web ServerInternet ProtocolsDigital Forensics
11 Comments3 Solutions3190 ViewsLast Modified:
I enabled the IIS on my windows 7 desktop just so that my coworkers can download a file there (i.e. just one simple home page with a link to a file), and because it was a small group I gave them the IP address for them to visit (http://..). I do have a firewall on my computer (Norton) so I thought it should be okay. The traffic is generally very slim but I just noticed that yesterday's log file was larger than usual, so I checked it out. If it helps I can upload the log file, but under the column "cs-uri-stem" I saw a lot of folders that should not be accessible through the IIS (i.e. not in the WWWroot) like

and one of these is a folder that I have not accessed for quite a long time -- definitely not that day.

cs(user-agent) is

cs-host is

c-ip is

sc-bytes and cs-bytes are pretty small, with a max of 5000 across rows.

sc-status is 200 for one (one folder), and 404 for all others.

cs-method has one entry of "option" and a lot of entries of "PROPFIND"

Is this something I should be worried about? I have since disabled the IIS and cut off the computer from the internet and will try to get a different IP next time.

Thanks very much!
btanExec Consultant
Join our community to see this answer!
Unlock 3 Answers and 11 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 3 Answers and 11 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros