It wouldn't be a spoofed IP - that's only useful if the attacker sends a TCP
the spoofed IP, not to the original IP address. That's not sufficient to
Secondly, it doesn't look like SQL injection. What is looks like might be
log file spam. Some people auto-publish their logfile stats as webpages.
"Jim_H" <JimH@discussions.microsoft.com> wrote in message
news:A51A0F7B-2518-43C6-9E25-7C881AA849B3@microsoft.com...
> Hopefully this is an appropriate forum for this question. I am noticing
> some
> very strange activity on my web site over the last 3 or 4 days. My site
> is
> using IIS running on Windows Server 2003 and I am using .Net Framework 3.5
> with SQL Server 2005 on backend. I cannot tell if what I’m seeing is
> hacker
> activity or some robot scanning my site or both. The problem is this:
>
> I have a product detail page (ProductDetail.aspx) which, as you can
> probably
> imagine, displays information for a specific product. It takes ProductID
> as
> a query parameter. In my code behind, one of the first things I do is try
> to
> convert the ProductID query parameter to a long integer so I can use it as
> a
> SQL parameter value to query the database. If that conversation fails, I
> log
> the Exception to an error table in the database and stop execution.
>
> For the last few days, usually in the early morning US hours like 1:00 AM,
> although there are a few during the day, I get exceptions in my error
> table
> that the ProductID int conversion failed. I have correlated the times in
> my
> error table to the IIS logs and I am seeing requests resembling the ones
> below. A normal request would be something like ProductID=154 or
> something
> like that but instead, I’m seeing…
>
> ProductID=http%3A%2F%2Ftargi.pc-tuning.pl%2Fimages%2Fnews%2Faqa%2Fcib%2F
> ProductID=http%3A%2F%2F
www.unduetretoccaate.it%2Fcodice%2Ffog%2Fbiko%2F
> ProductID=http%3A%2F%2F
www.stomol.ru%2Fcatalog%2Frivoz%2Fifewaf%2F
> ProductID=http%3A%2F%2F
www.cusianagas.com%2Fadministrador%2Fciw%2Fasezu%2F
> ProductID=http%3A%2F%2F
www.blankner.ocps.net%2Fmedia%2Fyeloc%2Frepaw%2F
> ProductID=http%3A%2F%2F
www.polisgrandhotel.gr%2F_cm_admin%2Fmaillist%2Feditor%2Fplugins%2Fcore%2Fdialogs%2Fqunik%2Favacu%2F
>
> What the bleep is that??? Do the strings above match any type of attack
> profile that anybody is aware of? From what I can tell, it does not seem
> like a SQL injection or anything of that nature. What is more alarming is
> that the source IP addresses all originate from other countries such as
> South
> Korea and Russia so I’m pretty sure that somebody is spoofing their IP,
> which
> leads me to believe it is an attack of some sort. But if it is an
> attacker,
> they don’t appear to spend much time on my site. I only see four or five
> of
> these types of requests in my IIS logs each day and when I scan my logs
> for
> the source IP addresses, it does not appear that they do anything else on
> my
> site other than make a few normal requests for other pages like
> default.aspx
> and a couple other random things that all appear to be harmless. I am
> happy
> that they don’t spend much time on my site because that would suggest that
> they are not finding anything interesting but if that is the case then why
> the heck do they return every night?
>
> Does anybody have any thoughts on what this might be and what my next
> course
> of action should be? I cannot just deny access to the source IP because
> it
> seems to change every day to source from some other country. This is very
> strange and I’m not sure how to respond at the moment.
>
> I appreciate any help you can offer.
>
> Thanks,
>
> Jim
