IIS 5 & IIS 6
thousands of 302 errors in my IIS logs.
Last post May 27, 2008 04:18 AM by rob h
May 23, 2008 04:27 AM|rob h|LINK
Hi, can anyone help me understand my IIS logs?
I have a website with an average page view per month of 24,000. However this month is 700,000 some 30 times more than average.
Looking through the log files I have thousands of 302 http errors all directing to an error page: “/protect/error.aspx”. On average the request happens 80 times per second.
The refers for the request are mostly blank or else valid pages with the same web site.
The last but weirdest part of the problem is that the IP addresses for these requests are a mixture if internal and external, with the most occurring IP address being my own
internal machine and I never use the website. I thought it might be a virus or Trojan but a scan showed my machine to be all clear.
Any one any ideas?
May 23, 2008 09:35 AMfirstname.lastname@example.org|LINK
Spoofing the referer is easy, so the requests may not be coming from where you think. This is an issue best handled in an IDS to keep traffic off your web server.
May 23, 2008 09:39 AM|tomkmvp|LINK
Is that page referenced anywhere in your ASP.NET code?
May 23, 2008 09:40 AM|rob h|LINK
i see what your saying, is it easy to spoof the i.p address? i woudn't of thought so but am still at a loss to explain the logs
could you elaborate on IDS? i'm not sure what you mean
thanks for the relpy as well :-)
May 23, 2008 09:42 AM|rob h|LINK
tomkmvp: this site has been developed and is managed for us, so it's difficult to see the code,
May 23, 2008 09:45 AM|tomkmvp|LINK
My suspicion is that this page is referenced as a custom error page perhaps in web.config. Can you confirm with the developer?
May 23, 2008 10:02 AM|rob h|LINK
further investigation revels this is a PHP site... so it'll take me a while to find this out.
If we could follow this line of thought; are you saying that this error page is referenced in code and there's some type of logic error that keeps causing this 302 re-direct?
May 23, 2008 01:27 PM|tomkmvp|LINK
Just a shot in the dark but something is causing those requests.
May 23, 2008 01:53 PMemail@example.com|LINK
IDS is an intrusion detection system. Fancy firewall with rules to address potential attacks.
What Tom might be thinking is that the redirects are really legitimate and the code is sending requests for anything that errors to the redirect. So if I issue a request for
www.sample.com/foo.php, which doesn't exist, the code does a redirect to that page. When I request that 70,000 times, it shows up in your logs as such.
Not sure why the IP you say you never use would be recorded though.
May 23, 2008 05:39 PM|lamp90|LINK
with the most occurring IP address being my own internal machine
You mean like 127.0.0.1 (known as the IP Loopback address), your own machine IP address (like 192.168.25.36), or your IIS server IP address (go figure :-)))?
May 27, 2008 04:18 AM|rob h|LINK
Jeff: I see what your saying, although wouldn't I see the legitamate requests in the referer field?
I think Tom is right in that it might be something to do with the code.
Lamp90: the IP address is 192.168.25.36 type thing.