IIS Log for Website reports 401 error on GET '/'

This guy is likely just a hacker, or probing to see our 401/404 page.

However how can he do this? I cannot reproduce it.

The Log: 2 different times but here is one
2008-02-13 20:52:57 172.16.0.30 GET / - 80 - 209.4.20.34 - 401 1 64

However if I telnet and do a get:
Connect: 172.16.0.30 (local IP address for website)
Port: 80

GET / HTTP/1.1
host: www.xxxxx.com

I'll get my Index.html page. This is what it looks like in the log

2008-02-14 16:06:02 172.16.0.30 GET /index.html - 80 - 172.16.1.16 - 200 0 0

or

GET / HTTP/1.0

I'll again get my index.html page.

I tried putting in special characters

GET /_ HTTP/1.0

then I get a 404 page.

But how is this guy able to get it to not direct '/' to 'index.html'... and he gets a 401 error?

re: IIS Log for Website reports 401 error on GET '/'

If this guy is a hacker and getting a 401 - perfect - access denied. You may not be able to replicate if you have the right permissions.

re: IIS Log for Website reports 401 error on GET '/'

This is a public website. So everybody even on the outside should have 'The Right Permissions'.

I don't understand how he would get the 401 error... just doing a 'GET' on ' / '
When the site automatically see's ' / ' as the index page. I did a search in the history of hits to the site. There was one other time, and another IP address that also received the 401 error on ' / '.

Are they sending a bad authentication request, even though authentication is not required? I wanna know how they get there... or if for some reason the IIS is not changing ' / ' to index for some reason in the case of a couple of IP addresses.

re: IIS Log for Website reports 401 error on GET '/'

My two guesses are that he is trying he is trying to query your database or the directory has a problem. The second seem less likely on a site that is already up and running. Although directory listing can be access denied when there is not a default file in that folder. The right permissions to give a site are anonymous access which denies access to other areas of the application/ server. HTH.

re: IIS Log for Website reports 401 error on GET '/'

Directory listing denied error is 403... is it not? That is not what is happening here. The default page is index... so that is what I'm complaining about, is how is it that he goes for 'GET /' and gets a 401 instead of the default page?

I got another one on Sat the 16th. From the same IP. He is sending some sort of special character or something to cause it not to see the GET / as GET index. Or even more likely as stated in the last mesg... he is sending authentication that is purposely wrong. I'm attempting to duplicate that as I speak.

As stated when I send a manual 'GET /' to the website... in the log it comes out get index. Then in the text in the TELNET window I get the text of the index.html page.

so he is formatted his GET string different and somehow bypassing IIS directive to go to the default Index page. Yet in the log it is logged as just 'GET /'