Avatar of someone-somewhere
someone-somewhere
 asked on

Need help with an IIS log - was someone snooping around?

I enabled the IIS on my windows 7 desktop just so that my coworkers can download a file there (i.e. just one simple home page with a link to a file), and because it was a small group I gave them the IP address for them to visit (http://..). I do have a firewall on my computer (Norton) so I thought it should be okay. The traffic is generally very slim but I just noticed that yesterday's log file was larger than usual, so I checked it out. If it helps I can upload the log file, but under the column "cs-uri-stem" I saw a lot of folders that should not be accessible through the IIS (i.e. not in the WWWroot) like

/D$
/D$/Folder1/
/D$/Folder1/Folder2/
/D$/Folder1/Folder2/Folder3
/D$/Folder1/Folder2/Folder3/Folder4
and one of these is a folder that I have not accessed for quite a long time -- definitely not that day.

cs(user-agent) is
Microsoft-WebDAV-MiniRedir/6.1.7601

cs-host is
localhost

c-ip is
::1

sc-bytes and cs-bytes are pretty small, with a max of 5000 across rows.

sc-status is 200 for one (one folder), and 404 for all others.

cs-method has one entry of "option" and a lot of entries of "PROPFIND"

Is this something I should be worried about? I have since disabled the IIS and cut off the computer from the internet and will try to get a different IP next time.

Thanks very much!
Microsoft IIS Web ServerDigital ForensicsInternet Protocols

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
xmlmagician

hi OP

is your IIS available to the public? can i say would not be easier and safer to upload the file to something like skydrive and give them the link?
someone-somewhere

ASKER
Hi xmlmagician,

Yes usually that's what I do but there were reasons to do so. The computer is behind a corporate firewall (for our building), so it is open to the public, but only to those who are inside.
Yiogi

The paths you are showing are administrative share paths on your PC. \\ComputerName\d$ is essentially the root for the D drive on your computer.

IIS shouldn't serve those unless you have enabled some sort of directory listing. I don't think those are coming from IIS but from your local network. And judging from the IP whoever is accessing your computer from your network share is using IPv6. Most old firewalls don't work with IPv6, you might want to disable that on your network card.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
xmlmagician

cool, i will respect that and i will not ask you for the reasons.

i would say that something went on to your pc and a look in the event viewer might give you the answer. look into your security section of it and see if they were any failed attempts to login to your machine.

i will run malwarebytes and your antivirus just to be on the safe side
David Johnson, CD

Why do you have webdav enabled? Not needed in this scenario, as described.
I do have a firewall on my computer (Norton) so I thought it should be okay. and what is its setting for port 80 tcp (http) requests?  All Ip Addresses? You probably just want it to allow your local subnet.
SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
someone-somewhere

ASKER
Hi folks,

Thanks a lot for responding to my question. To answer some of the questions / issues mentioned in your responses -

1. I did not enable WebDav and that's what made me wonder. I only added IIS as an additional feature and used the default options. Going through the features just now, I saw that "directory browsing" was checked by default, so I turned it off. But even with it on, the folder paths that I described earlier are on a different disk than WWW-root, and that's what bothered me.

2. To answer ve3ofa (thanks for your response by the way), the IP filter wasn't installed by default, but I just enabled that. Thanks for the tip.

3.  To breadtan: thanks for the detailed links. So, is it true that once they use Webdav redirector, their IP will be logged by IIS as my own machine?

4. I checked the "event viewer" and didn't see much there; under "security", unfortunately the earliest entry was the beginning of today.

What I really want to know is whether, by using Webdav redirector, they were able to do more than browsing the directories, and if they copied any files from the directories, etc.. Does the 404 error in the IIS log mean that they tried but wasn't successful?

Thanks for your patience with this -- I am not a web server administrator, and while I was a bit nervous when giving out the IP address, I thought it was just a small group of people that'd have access to it. I want to determine if this is nothing to worry about, or if I should bring this up to the IT staff who specializes in security issues.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
David Johnson, CD

the 404 is page not found response
someone-somewhere

ASKER
Hi ve3ofa,

Thanks for your reply. Yes, so if I understand it correctly, when the client tried to access that folder or file he got a 404 error. Am I correct? Here are the first three lines of the ISS log, along with the header; can you help me take a look and see if there's anything suspicious?  

date      time      cs-method      cs-uri-stem      cs-uri-query      cs-username      c-ip      cs(User-Agent)      cs(Cookie)      cs(Referer)      cs-host      sc-status      sc-substatus      sc-win32-status      sc-bytes      cs-bytes      time-taken

3/29/2013      22:15:38      OPTIONS      /D$/Folder1/Folder2      -      -      ::1      Microsoft-WebDAV-MiniRedir/6.1.7601      -      -      localhost      200      0      0      183      171      505
3/29/2013      22:15:38      PROPFIND      /D$/Folder1/Folder2      -      -      ::1      Microsoft-WebDAV-MiniRedir/6.1.7601      -      -      localhost      404      0      2      5420      201      56
3/29/2013      22:15:38      PROPFIND      /D$/Folder1      -      -      ::1      Microsoft-WebDAV-MiniRedir/6.1.7601      -      -      localhost      404      0      2      5384      183      2
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.