JAM
asked on
Suspicious activity in IIS logs (Exchange 2003 Server)
I'm about to decommission an old Exchange 2003 Server and was going through the logs.
In the IIS logs, I found suspicious activity that appears to be port scanning.
Can any one shed some light on this?
Should I be taking any precautions before decommissioning this server (which needs to be online when doing so, although I disconnected it from the network at the moment)?
In the IIS logs, I found suspicious activity that appears to be port scanning.
Can any one shed some light on this?
Should I be taking any precautions before decommissioning this server (which needs to be online when doing so, although I disconnected it from the network at the moment)?
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2017-12-27 00:49:47
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2017-12-27 00:49:47 W3SVC1 10.1.1.24 GET /index.html - 80 - 5.189.164.176 masscan/1.0+(https://github.com/robertdavidgraham/masscan) 200 0 0
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2017-12-27 02:41:54
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2017-12-27 02:41:54 W3SVC1 10.1.1.24 GET /index.html - 80 - 185.110.132.232 Scanbot 200 0 0
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2017-12-27 04:36:54
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2017-12-27 04:36:54 W3SVC1 10.1.1.24 GET /xmlrpc.php - 80 - 185.188.207.6 curl/7.35.0 404 0 2
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2017-12-27 10:01:27
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2017-12-27 10:01:27 W3SVC1 10.1.1.24 GET /index.html - 80 - 222.191.251.124 User-Agent:Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.0.3705 200 0 0
2017-12-27 10:01:27 W3SVC1 10.1.1.24 GET /index.action - 80 - 222.191.251.124 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_12_3)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/56.0.2924.87+Safari/537.36 404 0 2
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2017-12-27 10:38:22
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2017-12-27 10:38:22 W3SVC1 10.1.1.24 GET /index.html - 80 - 209.126.136.4 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/57.0.2987.133+Safari/537.36 200 0 0
2017-12-27 10:52:08 W3SVC1 10.1.1.24 GET /index.html - 80 - 158.85.81.121 - 200 0 0
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2017-12-27 13:02:31
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2017-12-27 13:02:31 W3SVC1 10.1.1.24 GET /index.html - 80 - 222.186.46.16 User-Agent:Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+.NET+CLR+1.0.3705 200 0 0
2017-12-27 13:02:31 W3SVC1 10.1.1.24 GET /index.action - 80 - 222.186.46.16 Mozilla/5.0+(Macintosh;+Intel+Mac+OS+X+10_12_3)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/56.0.2924.87+Safari/537.36 404 0 2
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2017-12-27 15:50:58
#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2017-12-27 15:50:58 W3SVC1 10.1.1.24 GET /index.html - 80 - 164.132.91.1 Gecko/20100916+Iceape/2.0.8 200 0 0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER