RE: Clearing IIS logs

From: Travis Kiger (Travis.Kigerat_private)
Date: Tue Oct 02 2001 - 12:10:23 PDT

Next message: Nexus: "Re: Hacking demo - most spectacular techniques"

Previous message: bluefur0r bluefur0r: "Re:Shell Shoveling?!?"
Next in thread: Tiago Halm: "Re: Clearing IIS logs"
Reply: Tiago Halm: "Re: Clearing IIS logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hmm, I tried it with an IIS4 machine using the IIS log format. After
deleting the current log and renaming an old log, new requests were appended
to the old log, although this format does include the date in each entry.

XXX.XXX.XXX.XXX, -, 6/13/01, 16:10:53, W3SVC1, SERVER, YYY.YYY.YYY.YYY, 0,
258, 623, 404, 2, GET, /images/homepage/icon.gif, -,
XXX.XXX.XXX.XXX, -, 6/13/01, 16:10:53, W3SVC1, SERVER, YYY.YYY.YYY.YYY, 0,
260, 623, 404, 2, GET, /images/homepage/icon.gif, -,
XXX.XXX.XXX.XXX, -, 6/13/01, 16:10:53, W3SVC1, SERVER, YYY.YYY.YYY.YYY, 0,
256, 623, 404, 2, GET, /images/homepage/base.gif, -,
XXX.XXX.XXX.XXX, -, 6/13/01, 16:10:53, W3SVC1, SERVER, YYY.YYY.YYY.YYY, 125,
256, 390, 200, 0, GET, /images/html_corner.gif, -,
XXX.XXX.XXX.XXX, -, 10/2/01, 12:06:23, W3SVC1, SERVER, YYY.YYY.YYY.YYY, 15,
564, 206, 304, 0, GET, /index.html, -,
XXX.XXX.XXX.XXX, -, 10/2/01, 12:06:23, W3SVC1, SERVER, YYY.YYY.YYY.YYY, 0,
627, 141, 304, 0, GET, /global.js, -,
XXX.XXX.XXX.XXX, -, 10/2/01, 12:06:23, W3SVC1, SERVER, YYY.YYY.YYY.YYY, 0,
622, 141, 304, 0, GET, /home.css, -,



-----Original Message-----
From: Shoten [mailto:shotenat_private]
Sent: Tuesday, October 02, 2001 11:41 AM
To: Travis Kiger; Jason binger; pen-testat_private
Subject: Re: Clearing IIS logs


The problem with this method is that IIS will not continue the existing log
file, but rather create a new one.


> IIS keeps the log file open, so I don't know of a way to do it without
> stopping IIS. The easiest way to acccomplish this is to create an AT job
> that stops IIS, deletes the logs and then restarts IIS. The account that
the
> AT service runs as probably has permissions to do this. To cause even more
> confusion for the admin, copy an old log and give it the same name as
> todays' log. Some log types don't show the date in the individual entries,
> but the admin may not notice either way.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Nexus: "Re: Hacking demo - most spectacular techniques"
Previous message: bluefur0r bluefur0r: "Re:Shell Shoveling?!?"
Next in thread: Tiago Halm: "Re: Clearing IIS logs"
Reply: Tiago Halm: "Re: Clearing IIS logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 10:43:31 PDT