Focus on Microsoft
Logging mechanism in IIS (was RE: code red---- on system that is already (and has been) patched) Mar 04 2003 03:34PM
Turner, Keith (Contractor) (Keith Turner tea army mil) (1 replies)
Re: Logging mechanism in IIS (was RE: code red---- on system that is already (and has been) patched) Mar 05 2003 01:40AM
Ken Schaefer (ken adOpenStatic com) (1 replies)
Re: Logging mechanism in IIS (was RE: code red---- on system that is already (and has been) patched) Mar 05 2003 07:00PM
Deus, Attonbitus (Thor HammerofGod com)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 05:40 PM 3/4/2003, Ken Schaefer wrote:
>I concur with Keith (but I could be wrong...)
>
>In the case of buffer overflow attacks (/not/ Sadmind etc that used
>Unicode traversal to get to cmd.exe) a successful attack should
>result in nothing in the IIS logs.
>
>Attacks like Sadmind which use traversal will be logged either way.
>404 if cmd.exe can't be found and 200 if cmd.exe can be found
>(subject, possibly, to the qualification wrt to sites that have
>custom 404 pages which someone else mentioned).

Just tried it in the lab to make sure, and upon popping the box with
Code
Red, no logs were created- no event logs, no IIS logs.

t

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPmZJV4hsmyD15h5gEQIdbQCfWqJHIUT30YJHeyVi0nc7UvMBAQEAoI+t
9HJhw0mo4/MkPGW/DanNYUv1
=u9p1
-----END PGP SIGNATURE-----

[ reply ]
 

Privacy Statement
Copyright 2010, SecurityFocus