Hi,
There are some strange logs in our IIS log as below. There are some IPs requesting for a specific image (alex.jpg) with extra parameters. We have scanned the server with Anti Virus and also deleted alex.jpg but the log still keep capturing the same request. Is the server compromised? Or is it from other server? What can we do about it? Thanks.
Please note the IP and domain are changed for security purpose.
Sample Logs:
2012-10-22 13:49:34 188.11.111.11 GET /thetown/images/alex.jpg v75=13&tq=gKZEtzyKcCxyyZgDhmtGgTkiImHiJhh4cmXC4fANJd3Ye%2FuaiWFGNHbNbwjk%2BO7JPe6ALCIj8nzZ1l%2FmCm9kfLfPoLKHRdtSXZRh3ayUdmOAfR7vre9o%2BoYxXAjTsYedbgFrjuloUjvSEML9EGvbTmv6RXXO2F3xD6%2Bo5HKoJm%2FZNdXZ1l4EEMMz8YNCWtfX3xjfgtJbl3lcgOGKmFDr6kWiBLu22Y%2FVfLdZAoJKOdKjmlAZ%2Fs2Ze02RJ3hz9O%2F2jRTdBAy7thW3IrvNoj5VWFTI6lPATWG%2FsLuzL8u4rLwfso4uKy1nMfWO9dflg586gBVjGliJujBj8kGELgSYmJnq7n6qMAKuo6x2aD50gxwMfm%2FYU33vONtnbLIYAwYjtApzveZDo9mh83LxO9N0rxRKEQw2iUNiVZmjt%2Bq9tOLq9gTXf77wk%2B6dg%2FbNbzSyJOQM 80 - 70.94.233.162 mozilla/2.0 - mydomain.com 404 0 2 734
2012-10-22 13:50:09 188.11.111.11 GET /thelab/images/alex.jpg v2=94&tq=gJ4WK%2FSUh6THhRMw9YLJqMSTUivqg4akxZNTK%2B%2Fbxmq1SfkIYVBe 80 - 69.116.51.233 mozilla/2.0 - mydomain.com 404 0 2 1343
↧