#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: *年*月*日 12:02:35
#Fields: date time c-ip s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
*年*月*日 12:06:08 192.168.123.173 192.168.123.* 80 GET /uploadnew/4_20080405164419.doc - 200 0 28398 340 78 HTTP/1.1 192.168.123.* Mozilla/4.0+(compatible;+MSIE+6.0;+
Windows+NT+5.1;+SV1) cookies1=000;+ASPSESSIONIDCCQBSCCB=BHNPKBBAABLMPHLHGIOJCOIA
http://192.168.123.*/index1.asp
*年*月*日 12:07:07 192.168.123.173 192.168.123.* 80 OPTIONS / - 200 0 425 203 0 HTTP/1.1 192.168.123.* Microsoft+Data+Access+Internet+Publishing+Provider+Protocol+Discovery cookies1=000 -
*年*月*日 12:07:07 192.168.123.173 192.168.123.* 80 OPTIONS /uploadnew/4_20080405164419.doc - 200 0 424 233 0 HTTP/1.1 192.168.123.* Microsoft+Data+Access+Internet+Publishing+Provider+Protocol+Discovery cookies1=000 -
问题1: 上面 OPTIONS / 和 OPTIONS /uploadnew/4_20080405164419.doc 什么意思? options 是什么操作?
*年*月*日 12:07:08 192.168.123.173 192.168.123.* 80 GET /_vti_inf.html - 404 2 3896 286 31 HTTP/1.1 192.168.123.* Mozilla/4.0+(compatible;+MS+FrontPage+6.0) cookies1=000 -
问题2: 访问/_vti_inf.html是入侵吗?
*年*月*日 12:07:08 192.168.123.173 192.168.123.* 80 POST /_vti_bin/shtml.dll - 200 0 460 389 47 HTTP/1.1 192.168.123.* MSFrontPage/6.0 - -
*年*月*日 12:07:08 192.168.123.173 192.168.123.* 80 POST /_vti_bin/shtml.dll - 200 0 603 441 47 HTTP/1.1 192.168.123.* MSFrontPage/6.0 - -
问题3: POST /_vti_bin/shtml.dll - 200是什么操作?
*年*月*日 12:07:08 192.168.123.173 192.168.123.* 80 OPTIONS / - 200 0 425 203 0 HTTP/1.1 192.168.123.* Microsoft+Data+Access+Internet+Publishing+Provider+Protocol+Discovery cookies1=000 -
*年*月*日 12:07:08 192.168.123.173 192.168.123.* 80 OPTIONS /uploadnew/4_20080405164419.doc - 200 0 424 233 0 HTTP/1.1 192.168.123.* Microsoft+Data+Access+Internet+Publishing+Provider+Protocol+Discovery cookies1=000 -
问题4: 间隔1秒,重复进行上面出现过的 OPTIONS / 和 OPTIONS /uploadnew/4_20080405164419.doc 为什么?正常吗?
*年*月*日 12:21:48 192.168.200.101 192.168.123.* 80 GET /_vti_inf.html - 404 2 3896 286 15 HTTP/1.1 192.168.123.* Mozilla/2.0+(compatible;+MS+FrontPage+4.0) cookies1=000 -
*年*月*日 12:21:48 192.168.200.101 192.168.123.* 80 POST /_vti_bin/shtml.dll - 200 0 460 389 15 HTTP/1.1 192.168.123.* MSFrontPage/4.0 - -
*年*月*日 12:21:48 192.168.200.101 192.168.123.* 80 POST /_vti_bin/shtml.dll - 200 0 603 441 16 HTTP/1.1 192.168.123.* MSFrontPage/4.0 - -
*年*月*日 12:21:48 192.168.200.101 192.168.123.* 80 OPTIONS /uploadnew/3_20080405173024.doc - 200 0 424 214 0 HTTP/1.1 192.168.123.* Microsoft+Data+Access+Internet+Publishing+Provider+Cache+Manager cookies1=000 -
*年*月*日 12:21:48 192.168.200.101 192.168.123.* 80 POST /_vti_bin/shtml.dll - 200 0 603 441 0 HTTP/1.1 192.168.123.* MSFrontPage/4.0 - -
*年*月*日 12:22:00 192.168.200.101 192.168.123.* 80 PROPFIND /uploadnew - 207 0 1017 185 0 HTTP/1.1 192.168.123.* Microsoft-WebDAV-MiniRedir/5.1.2600 - -
问题5: 这是什么操作 PROPFIND /uploadnew ?这几条纪录能说明
用户进行了什么操作?
问题6:下面的“Out-of-process+ISAPI+extension+request+failed ”能够证明被ISAPI
攻击过吗?
2008-04-07 00:13:07 192.168.123.110 192.168.123.* 80 GET /index1.asp Out-of-process+ISAPI+extension+request+failed. 500 1727 271 394 31 HTTP/1.1 192.168.123.* Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) cookies1=000 -
问题7:这一段更有趣,PROPFIND /uploadnew/Desktop.ini 在干什么?
2008-04-07 22:54:47 192.168.200.187 192.168.123.* 80 OPTIONS / - 200 0 415 147 0 HTTP/1.1 192.168.123.* Microsoft-WebDAV-MiniRedir/5.1.2600 - -
2008-04-07 22:54:47 192.168.200.187 192.168.123.* 80 PROPFIND /uploadnew - 207 0 1017 167 0 HTTP/1.1 192.168.123.* Microsoft-WebDAV-MiniRedir/5.1.2600 - -
2008-04-07 22:54:47 192.168.200.187 192.168.123.* 80 PROPFIND /uploadnew - 207 0 1017 167 0 HTTP/1.1 192.168.123.* Microsoft-WebDAV-MiniRedir/5.1.2600 - -
2008-04-07 22:54:47 192.168.200.187 192.168.123.* 80 PROPFIND /uploadnew/Desktop.ini - 404 0 0 197 94 HTTP/1.1 192.168.123.* Microsoft-WebDAV-MiniRedir/5.1.2600 - -
Powered by IXPUB.Net © 2001-2007 All Right Reserved. 
