|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
IIS traffic
From: Mason, Samuel (smason
state.mt.us)
Date: Wed Nov 19 2003 - 14:55:39 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
While clearing out some information in our web filter I noticed some odd
traffic: internal web server addresses showing up under different dns names.
For instance in the Host Name field we see "sucks.freexxxxxvideo.com" and
yet the IP comes up in our address range. Opening the traffic I find a DSL
customer's IP from speakeasy.net. It looks like they are making what starts
out as a legitimate request from our IIS 5.0 webserver and then redirect to
whatever porn site they are after at the time.
Looking at the IIS logs on the affected server I see nothing more than this
to give me a clue:
2003-11-05 12:44:26 66.93.24.88 - X.X.X.X 80 GET /Default.asp - 200
sucks.freexxxxxvideo.com Mozilla/4.0 -
Is this a common occurrence with IIS? How do we stop this from happening?
Thanks for any help.
Samuel Mason
Information Technology Security Office
State of Montana
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]