Hi All,
I've got an IIS box that appears to have an exploit script running against it everyday. When I look at the IIS logs there are multiple entries similar to this one:
2013-05-29 12:14:35 W3SVC1 servername 192.168.10.31 GET /edit_image.php dn=1&userfile=/etc/passwd&userfile_name%20.... 80 - 192.168.10.31 HTTP/1.0 - - - - 404 0 2 5462 86 31
There are also ASP.NET application logs that show an unhandled exception has occurred at the same time (Event ID 1309, Event Code 3005 Request UTLhttp://192.168.10.31/trace.axd, User host address: 192.168.10.31)
It is a 404 for all the messages, but the script appears to be coming from the IIS server (based on the IP's). How can I determine if this script is being ran locally on the box or remotely?
Any help is much appreciated,
Bill