Denied IP getting through IIS

**rmallonday** · 03-30-2012, 05:51 AM

I have an IP address that is actively attempting SQL injection attacks on my site. I put this IP into the IIS Manager Deny list 2 days ago and this morning he got through with at lease a dozen injection attack attempts.

How is he getting through the IIS Deny?

His IP is 192.168.211.3

**mjp** · 03-30-2012, 10:26 AM

That's a local IP. Where are you getting that IP, from your logs?

**rmallonday** · 03-30-2012, 10:36 AM

I log all activity to an usage table so I get a better idea of what is going on in the site.

What do you mean by "it's a local IP"?

**jayc** · 03-30-2012, 11:17 AM

Local IP is the static / dynamic IP issued by your router/hub. Its non public facing meaning its only good within your internal network (192.168.xxx.xxx) IIS does not filter these IP's

192.168.1.0 / 1 Is an internal IP which would normally be the gateway. Connect to it, and see the DHCP client table to see who was assigned for (192.168.211.3) within your private network

**rmallonday** · 03-30-2012, 11:33 AM

Ok, this is a bit disturbing. What router/hub? As far as I know I have no router/hub. I definitely don't have a private network that I know of. To get these values I'm using Request.UserHostName and Request.UserHostAddress.

**mjp** · 03-30-2012, 11:57 AM

Well, our network could use private IPs for internal server to server connections as well. jayc is referring to typical home use of private IPs.

I'm checking with the system admins right now to see what they think.

**rmallonday** · 03-30-2012, 12:16 PM

**jayc** · 03-30-2012, 01:31 PM

I would suggest you to open a support ticket with a copy of this log attached so we can investigate further.
support.discountasp.net

**bruce** · 03-30-2012, 05:19 PM

i also think you should create a support ticket. we need further details that you might not want to post in a public forum.

03-30-2012, 05:51 AM	#1
rmallonday Join Date: Mar 2012 Posts: 4	Denied IP getting through IIS I have an IP address that is actively attempting SQL injection attacks on my site. I put this IP into the IIS Manager Deny list 2 days ago and this morning he got through with at lease a dozen injection attack attempts. How is he getting through the IIS Deny? His IP is 192.168.211.3

03-30-2012, 05:19 PM	#9
bruce DiscountASP.NET Staff Join Date: Jan 2003 Posts: 6,501	i also think you should create a support ticket. we need further details that you might not want to post in a public forum. __________________ Bruce DiscountASP.NET

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Access to the path '~/Content/Sys/newone' is denied. error message	mohdasalah	ASP.NET 4.0	3	12-09-2010 10:38 AM
DiscountASP.NET Extends IIS Manager with web.config Backup and Restore Module and Feedback Module	Eric	Windows 2008/IIS 7	6	05-29-2008 12:15 PM
IIS 7 Web Manager Features	vvsharma	Windows 2008/IIS 7	0	03-21-2008 10:19 AM
Create DB from a backup	MUVEKA	Databases	1	02-25-2007 10:02 AM
Creating new web site on DAP	wisemx	ASP.NET 2.0	2	02-25-2007 07:39 AM

03-30-2012, 10:26 AM	#2
mjp DiscountASP.NET Staff Join Date: May 2006 Posts: 2,316	That's a local IP. Where are you getting that IP, from your logs?

03-30-2012, 10:36 AM	#3
rmallonday Join Date: Mar 2012 Posts: 4	I log all activity to an usage table so I get a better idea of what is going on in the site. What do you mean by "it's a local IP"?

03-30-2012, 11:17 AM	#4
jayc Join Date: Aug 2011 Posts: 232	Local IP is the static / dynamic IP issued by your router/hub. Its non public facing meaning its only good within your internal network (192.168.xxx.xxx) IIS does not filter these IP's 192.168.1.0 / 1 Is an internal IP which would normally be the gateway. Connect to it, and see the DHCP client table to see who was assigned for (192.168.211.3) within your private network

03-30-2012, 11:33 AM	#5
rmallonday Join Date: Mar 2012 Posts: 4	Ok, this is a bit disturbing. What router/hub? As far as I know I have no router/hub. I definitely don't have a private network that I know of. To get these values I'm using Request.UserHostName and Request.UserHostAddress.

03-30-2012, 11:57 AM	#6
mjp DiscountASP.NET Staff Join Date: May 2006 Posts: 2,316	Well, our network could use private IPs for internal server to server connections as well. jayc is referring to typical home use of private IPs. I'm checking with the system admins right now to see what they think.

03-30-2012, 12:16 PM	#7
rmallonday Join Date: Mar 2012 Posts: 4	Here are the log entries. 2012-03-30 02:20:06.523 192.168.211.3 http://www.delval.biz/DailyUpdates.a...2011+and+1=1-- 2012-03-30 02:20:06.610 192.168.211.3 http://www.delval.biz/DailyUpdates.a...2011+and+1=1-- 2012-03-30 02:20:06.663 192.168.211.3 http://www.delval.biz/DailyUpdates.a...2011+and+1=1-- 2012-03-30 02:20:07.033 192.168.211.3 http://www.delval.biz/DailyUpdates.a...ion+select+0-- 2012-03-30 02:20:07.123 192.168.211.3 http://www.delval.biz/DailyUpdates.a...ion+select+0-- 2012-03-30 02:20:07.170 192.168.211.3 http://www.delval.biz/DailyUpdates.a...ion+select+0-- 2012-03-30 02:20:07.553 192.168.211.3 http://www.delval.biz/DailyUpdates.a...1+order+by+1-- 2012-03-30 02:20:07.643 192.168.211.3 http://www.delval.biz/DailyUpdates.a...1+order+by+1-- 2012-03-30 02:20:07.710 192.168.211.3 http://www.delval.biz/DailyUpdates.a...1+order+by+1-- 2012-03-30 02:20:08.063 192.168.211.3 http://www.delval.biz/DailyUpdates.a...2011+and+1=1-- 2012-03-30 02:20:08.600 192.168.211.3 http://www.delval.biz/DailyUpdates.a...ion+select+0-- 2012-03-30 02:20:09.107 192.168.211.3 http://www.delval.biz/DailyUpdates.a...1+order+by+1-- NULL NULL NULL

03-30-2012, 01:31 PM	#8
jayc Join Date: Aug 2011 Posts: 232	I would suggest you to open a support ticket with a copy of this log attached so we can investigate further. support.discountasp.net