locked
Application log events - IIS 6, Windows 2003 RRS feed

  • Question

  • User-1210273150 posted

    ScottGU in his FAQ mentions that "An attack attempt like this should also generate thousands of warnings in the application event log of your server similar to:Event code: 3005", can any expand on this further?  What are the possible events logged by the OS?

    Tuesday, September 21, 2010 8:29 AM

Answers

  • User2025044020 posted

    The "Padding is invalid and cannot be removed" exception is event id 1309 on IIS 7/7.5.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 24, 2010 3:43 PM

All replies

  • User-1210273150 posted

    </pin drop>


    Guess I'll check for 404 and 500 errors then.

    Wednesday, September 22, 2010 5:29 PM
  • User2025044020 posted

    As Scott's blog post mentioned, you would see ASP.NET application errors in Event Viewer indicating a CryptographicException. These errors could also occur normally, but an excessive number could indicate an attack.

    Friday, September 24, 2010 3:16 PM
  • User-1210273150 posted

    As Scott's blog post mentioned, you would see ASP.NET application errors in Event Viewer indicating a CryptographicException. These errors could also occur normally, but an excessive number could indicate an attack.

     

    I am asking for specific event ids for both Windows 2003 and 2008 servers running IIS 6 and IIS 7.  We have multiple web farms, each with multiple web sites and I am trying to leverage our log correlation software without having to search for the text "CryptographicException." 

    Friday, September 24, 2010 3:30 PM
  • User2025044020 posted

    The "Padding is invalid and cannot be removed" exception is event id 1309 on IIS 7/7.5.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 24, 2010 3:43 PM