I've been getting IIS worker process errors lately. I can't really track them down to a certain page or a specific recurring time of the day, and it's driving me crazy. As a last resort, I re-enabled logging on the main Warren County site. It turns out that I still have quite a bit to learn about a server administrator: I should have been doing this for months.
As I gazed into the depths of the logs, a startling set of records caught my attention. While I wasn't able to find any reason for the errors in the IIS worker process, I was able to find several attempts to hack our server. A particular IP address showed up several times, trying to access applications we didn't have. Not only that, but they were trying to send some very suspicious requests to our server for those applications, requests that probably have been covered in security bulletins and the like. And that was just the beginning.
Through the logs, I found that a lot of other people are trying to get our "favicon.ico" file for some reason ('favicon.ico' is that customizeable icon that appears next to the title of a page). We don't have one, so they're pretty much out of luck, but I may just add one now that I know something's requesting it. I found an IP address for the Albany NY Public Safety Internal Site. I found exactly why it's good to have WebDAV disabled. I found that on March 11, I did something that screwed up our web template and two people tried to use a stylesheet named "null". If you're reading this and you're one of the two people... well, shucks. Sorry about that.
I've often wondered why so many administrators preach about the importance of reviewing logs, why so many intelligent people would scan through the thousands and thousands of lines of meaningless access requests, and now I've successfully cornered several dead incoming links that have been evading me for months and possibly been alerted to malicious attempts to deface our site. Well, christen me converted.
Tags: server security content