If a site was compromised and the web.config was compromised, are there any telltale signs?
Assuming the logs were not compromised as well (depending on your Application Pool settings, the identity your web site runs as may not have direct access to those logs) You can check your logs and see whether you have had an abnormally large number of requests
hit your site from a unique IP address in blocks to see. If you see large numbers of requests for the same URL with different querystring values then you may have been compromised.
patja
Assuming the black hat wasn't smart enough to remove all traces of their activity, would it show up in the IIS logs?
It would show up on the logs assuming the application identity doesn't have access to the file locations that your logs files are stored.
David L. Penton
"Mathematics is Music for the mind, and Music is Mathematics for the Soul. - J.S. Bach"
patja
0 Points
1 Post
Signs of being compromised?
Sep 19, 2010 09:23 PM|LINK
If a site was compromised and the web.config was compromised, are there any telltale signs?
Assuming the black hat wasn't smart enough to remove all traces of their activity, would it show up in the IIS logs?
mbanavige
All-Star
134944 Points
15413 Posts
ASPInsiders
Moderator
MVP
Re: Signs of being compromised?
Sep 19, 2010 09:33 PM|LINK
All requests would show up in the iis logs.
Depending on the volume of requests that your site normally receives, your first clue might be an unusually large log file.
POET makes a significant number of requests to your app as part of the exploit.
davidpenton
Member
595 Points
100 Posts
ASPInsiders
Re: Signs of being compromised?
Sep 20, 2010 12:01 AM|LINK
Assuming the logs were not compromised as well (depending on your Application Pool settings, the identity your web site runs as may not have direct access to those logs) You can check your logs and see whether you have had an abnormally large number of requests hit your site from a unique IP address in blocks to see. If you see large numbers of requests for the same URL with different querystring values then you may have been compromised.
It would show up on the logs assuming the application identity doesn't have access to the file locations that your logs files are stored.
"Mathematics is Music for the mind, and Music is Mathematics for the Soul. - J.S. Bach"
selarom
Member
512 Points
164 Posts
Re: Signs of being compromised?
Sep 20, 2010 09:52 PM|LINK
if we have healthmonitoring enabled, would we see a sudden flux of thousands of padding error emails?