Hi All,
I've got an IIS box that appears to have an exploit script running against it everyday. When I look at the IIS logs there are multiple entries similar to this one:
2013-05-29 12:14:35 W3SVC1 servername 192.168.10.31 GET /edit_image.php dn=1&userfile=/etc/passwd&userfile_name%20.... 80 - 192.168.10.31 HTTP/1.0 - - - - 404 0 2 5462 86 31
There are also ASP.NET application logs that show an unhandled exception has occurred at the same time (Event ID 1309, Event Code 3005 Request UTL trace.axd User host address: 192.168.10.31)
It is a 404 for all the messages, but the script appears to be coming from the IIS server (based on the IP's). How can I determine if this script is being ran locally on the box or remotely?
Any help is much appreciated,
Bill