"Betty Chan" <betty.chan@sickkids.ca> wrote in message
news:04c901c35548$0951d4f0$a101280a@phx.gbl...
> Hi Everybody,
> I administrator a intranet web site. I found that there
> are IE 6 (on Windows 98 or 2000) that sending out extra
> requests for default home page. These extra requests are
> transparent to the users, but seen on the IIS log. e.g.
> 14:41:31 xxx.20.135.181 - GET /queries/loginDlog.cfm
> 14:41:31 xxx.20.135.181 - GET /index.cfm
> 14:41:31 xxx.20.135.181 - GET /index.cfm
> 14:41:36 xxx.20.135.181 - POST /queries/loginDlog.cfm
> 14:41:36 xxx.20.135.181 - GET /index.cfm
> 14:41:46 xxx.20.135.181 -
> POST /queries/Pathology/PATHPatientShow.CFM
> 14:41:46 xxx.20.135.181 - GET /index.cfm
> 14:41:55 xxx.20.135.181 -
> GET /queries/Pathology/PATHPatientRslts.cfm
> 14:41:55 xxx.20.135.181 - GET /index.cfm
> 14:42:21 xxx.20.135.181 -
> GET /queries/Pathology/PATHPatientRslts.cfm
> 14:42:21 xxx.20.135.181 - GET /index.cfm
>
> In this example, the default home page is /index.cfm. But
> it can be /default.htm.
>
> Are these PCs got infected with some sort of virus?
> Anybody see this strange behavior before?
>
> Thanks
> Betty

"Betty Chan" <betty.chan@sickkids.ca> wrote in message
news:uFqByldVDHA.2004@TK2MSFTNGP10.phx.gbl...
> We are on IIS version 4 (service pack 6). In my last mail, I didn't show
> the complete IIS log for ease of understanding. Our log includes
> Time,IP,User Name,Method,URI Stem,URI Query,Http Status,Win32
> Status,Bytes Sent,Bytes Received,Tme Taken, Protocol Version,User Agent,
> Cookies, Referrer. Below is the 'complete' log without Cookies (which is
> too long to display). Anyway, those additional requests all have Status
> 200, 6200 bytes sent, 422 bytes received and no Http Referer (denoted by
> a dash "-").
>
> 14:41:31 xxx.20.135.181 - GET /queries/loginDlog.cfm - 200 0 7227 454 30
> HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) -
> 14:41:31 xxx.20.135.181 - GET /index.cfm - 200 0 6200 422 20 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) -
> 14:41:31 xxx.20.135.181 - GET /index.cfm - 200 0 6200 422 20 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) -
> 14:41:36 xxx.20.135.181 - POST /queries/loginDlog.cfm - 200 0 5990 815
> 420 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98)
> http://dwweb/queries/loginDlog.cfm
> 14:41:36 xxx.20.135.181 - GET /index.cfm - 200 0 6200 422 70 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) -
>
> 14:41:46 xxx.20.135.181 - POST /queries/Pathology/PATHPatientShow.CFM -
> 200 0 15724 848 3344 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98)
> http://dwweb/queries/Pathology/index.cfm?qry=PATHPatientSrch
> 14:41:46 xxx.20.135.181 - GET /index.cfm - 200 0 6200 422 20 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) -
>
>
> 14:41:55 xxx.20.135.181 - GET /queries/Pathology/PATHPatientRslts.cfm
> specid=hsc980031&specnum=S02-2553 200 0 17062 727 2143 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98)
> http://dwweb/queries/Pathology/PATHPatientShow.CFM
> 14:41:55 xxx.20.135.181 - GET /index.cfm - 200 0 6200 422 30 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) -
>
> 14:42:21 xxx.20.135.181 - GET /queries/Pathology/PATHPatientRslts.cfm
> specid=hsc641131&specnum=F02-1993 200 0 14472 727 1202 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98)
> http://dwweb/queries/Pathology/PATHPatientShow.CFM
> 14:42:21 xxx.20.135.181 - GET /index.cfm - 200 0 6200 422 20 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) -
>
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it!