So today I peeked at my IIS log and out of luck I spotted some funny behavior. Plenty of 404 errors for pages with names like admin, login, database, mdb, etc... Clearly someone looking for admin access / free databases. I decided to further analyze my logs using the IIS Log Analyzer. Since IIS Log Analyzer is a command-line utility, which I am not to fond of, I also downloaded Log Parser Lizard (free / donate) which is a great GUI interface for not only IIS logs but plenty more, like event logs, active directory, file system, etc...
The log parser allows you to use SQL syntax to parse the log files. Anyways... I wrote a short script to list all 404 errors grouping them by Uri and IP address to see what I could find. Since I don't get a ton of traffic it was fairly easy to filter out the normal 404 requests and the bad ones. However I would suggest further filtering until you get down to a more manageable data set. Here's my initial SQL:
SELECT c-ip, cs-uri-stem, Count(*) AS Total
FROM C:\logs\u_ex*.log
WHERE sc-status = 404
GROUP BY c-ip, cs-uri-stem
ORDER BY c-ip, Total DESC
Since I had quite a bit of data I further refined my search by removing records that I knew were not an issue:
SELECT c-ip, cs-uri-stem, Count(*) AS Total
FROM C:\logs\ddn\u_ex*.log
WHERE sc-status = 404 AND NOT cs-uri-stem LIKE '%favicon%' AND NOT cs-uri-stem LIKE '%.xml%'
GROUP BY c-ip, cs-uri-stem
HAVING COUNT(c-ip) > 1
ORDER BY c-ip, Total DESC
And I ended up with enough results that it was easy to quickly scan and see that there was something funny going on with these requests... such as:
/editor/admin_login.asp
/admin/eWeb/admin_login.asp
/admin/htmledit/admin_login.asp
/admin888/ewebeditor/admin_login.asp
/database/snowboy.mdb
/KS_Data/KesionCMS4.mdb
/msmir_net.mdb
/sql.rar
etc... etc... What you do with the results is completely up to you.