Link to home
Start Free TrialLog in
Avatar of Hashim Nangarhari
Hashim NangarhariFlag for Saudi Arabia

asked on

script based requests on IIS logs

Hello,

IIS logs shows requests like:

python-requests/2.26.0
Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
python-requests/2.23.0
python-requests/2.25.1
python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1160.36.2.el7.x86_64
I wonder what these requests are and wither it is malicious or benign.


 


Avatar of David Favor
David Favor
Flag of United States of America image

Depends on if you're running the scans or someone else is running scans.

1) If your machine is running Linux/3.10.0-1160.36.2.el7.x86_64 then... someone might have accessed your machine... especially since you're running a Kernel which might have a zero day... Best to run a 5.X Kernel at this point...

2) If your machine is running some other Kernel version, then the UA string is saying the requester is running Linux/3.10.0-1160.36.2.el7.x86_64 their Kernel.

3) Likely #2 is the case... and running a 3.X series Kernel is only for Thrillseekers, as this is a very old Kernel... and either "is" currently hackable or "will be" hackable in the future.

Also likely #2 as you said this is a IIS machine's logs, which isn't running a Linux Kernel.
it should also be showing you the ip address of the requester and the file requested

i.e.
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2021-08-13 23:51:23 127.0.0.2 GET /wpad.dat - 80 - 127.0.0.1 WinHttp-Autoproxy-Service/5.1 - 404 0 2 220
Avatar of Hashim Nangarhari

ASKER

it is someone else doing the scans and yes there are the IPs of the requester.
but I heard some search engines and ISPs use such scripts for the purposes of indexing and categorizing websites,
is that right ?
ASKER CERTIFIED SOLUTION
Avatar of Gerwin Jansen
Gerwin Jansen
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial