Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IIS log file reset lines

21 views
Skip to first unread message

Carlos

unread,
May 28, 2004, 12:36:04 PM5/28/04
to
why do the commented lines (shown below) that should normally (I assume) only show at the top of the log file show sometimes thoughtout the log files?

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2004-05-27 08:12:04
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken #Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2004-05-01 01:20:39
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2004-05-01 01:20:39 W3SVC1 SERVERNAME 000.000.000.000 GET /index.php - 80 - 63.185.112.93 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) - - 000.000.000.000 200 0 64 217 188 843
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2004-05-01 02:36:57
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2004-05-01 02:36:57 W3SVC1 SERVERNAME 000.000.000.000 GET /index.php - 80 - 200.31.155.150 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) - - 000.000.000.000 200 0 64 217 188 265
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2004-05-01 03:36:05
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2004-05-01 03:36:05 W3SVC1 SERVERNAME 000.000.000.000 GET /index.php - 80 - 65.43.219.143 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) - - 000.000.000.000 200 0 64 217 188 156
#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2004-05-01 05:38:40
#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken
2004-05-01 05:38:40 W3SVC1 SERVERNAME 000.000.000.000 GET /index.php - 80 - 81.86.88.9 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98) - - 000.000.000.000 200 0 64 217 188 250

I'm curious to know if they show up when the service is reset or something like that because of the pattern that there is only one request from different IPs between the commented lines, is this a sign that the server is being attacked/scanned?

Frank Boyne

unread,
May 28, 2004, 2:13:39 PM5/28/04
to
"Carlos" <car...@socialgeeks.com> wrote in message
news:2C541840-5465-43DA...@microsoft.com...
> why do the commented lines [snip]

This newsgroup pretty much deals with deployment of Microsoft
Message Queue Server (MSMQ). Asking your question in an IIS related
newsgroup like microsoft.public.inetserver.iis or
microsoft.public.inetserver.misc is more likely to get your question
seen by someone who knows the answer.

For what it is worth, I believe IIS does write the header each time
IIS is initialised so stopping and starting IIS (deliberately or
through an attack) would cause those headers to be written.


0 new messages