Maybe someone could answer a few questions I have about the format of the log. I'm trying to analyze a file traversal attack, but I don't know what some of the things in the log are. Here is an example.

06/03/2004 3:01 xb0xm4n.geocities.nl www.altruistic.com 80
GET /scripts/../../winnt/system32/cmd.exe /c+dir+c:\ 200 Mozilla/3.0+(compatible)

The sample is from altruistic server log. What is the xb0xm4n.geocities.nl for and the 200 after /c+dir+c:\?

Well, 'xb0xm4n.geocities.nl' is the DNS lookup of the computer that was connecting to your server. You can ping that address and it will resolve to an IP address that you can plug into a WHOIS site and find out where this person is connecting from. Looks to me like the Netherlands - the WHOIS will usually give you an email address to report network abuse, but it's hit or miss whether that accomplishes anything.

The GET is the command the client browser sent to your server, that's pretty standard. What isn't standard is the /scripts/../../winnt/system32/cmd.exe. The /.. is the command line function to go up one level in a directory structure. Try it by going to your command prompt and typing 'cd ..' - you will see that you will move up by one directory. When you see this coming from a browser, it's usually some script kiddie trying to take advantage of an exploit that they read about on a web page somewhere. This person was trying to get a directory listing of your C:\ directory for whatever reason.

I'm not sure what the 200 is. Probably some browser code that IIS uses or something.

The best thing to do when you see this sort of thing is to block the IP address from your webserver and then send the relevant parts of your logs to the abuse email address of the person's ISP. There's not much else you can do, but at least blocking the IP will prevent further attacks. If this person has a dynamic IP and keeps getting different ones from his ISP, just go ahead and block the entire range if you can't get a response from the ISP.

I remember what 200 is now. It's the status code returned by the webserver about the HTTP transaction. For example, if an invalid page was requested, the status code returned is a 404 error that we all know and love.

Here is what http://www.w3.org had to say about code 200:

10.2.1 200 OK

The request has succeeded. The information returned with the response is dependent on the method used in the request, for example:

GET an entity corresponding to the requested resource is sent in the response;

HEAD the entity-header fields corresponding to the requested resource are sent in the response without any message-body;

POST an entity describing or containing the result of the action;

TRACE an entity containing the request message as received by the end server.

Found at http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

Looks like the directory request succeeded, or at least as far as your web service is concerned it did.

Ok. I suspected the 200 was a code like that, but didn't know where to look the codes up at. Thank you very much for your replies.