We have a test server that hosts an iis 7.5/.net 4.0 c# webservice. Port 443 open to the internet as it is accepts just https requests. Someone was trying to hack in and I can see it in the IIS logs a lot of different attempts using https Get requests, 99.9% of them failed. There was one that did succeed (it had a status of 200 for the response) but they didn't get anything because there is nothing in that directory. But I was trying to figure out exactly the format of the request they sent so I could replicate it and learn. And also put it in an IIS filter to stop it in the future. The request that is in my logs that they had sent is:
GET /aspnet_client - 443 - 46.4.94.227 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+Trident/5.0) 200 0 0 145
But when I try to duplicate this request from ie 9, I send what looks like to me would be the same request except I get a response of 403 is:
and what comes out in the IIS log from the request above is below. It is nearly identical but mine gets a 403 status and theirs is a 200 status. So what did they do or send different so that they got a 200 status?
GET /aspnet_client/ - 443 - XX.XX.XX.XX Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+Win64;+x64;+Trident/5.0) 403 14 0 23
Also, they do send a request with the service name, which I am not sure how they got that?