IIS日志的分析

本文章来源于网络安全技术博客

比如某某公司网站被入侵了。主页被改成骂公司是骗子的话。然后想要看日志。这该怎么办呢？

下面用IIS日志举例子

先把这一大堆文件合并成一个文件

然后用EDITPLUS打开（记事本功能不强大）

会看到

#Software: Microsoft Internet Information Services 6.0

#Version: 1.0

#Date: 2010-01-11 12:11:40

#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes

2010-01-11 12:11:40 W3SVC437 218.85.132.49 GET /index.htm – 80 – 218.85.138.206 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;MyIE2;+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322) 200 0 64 0 226

2010-01-11 12:11:40 W3SVC437 218.85.132.49 GET /index.htm – 80 – 218.85.138.206 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;MyIE2;+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322) 200 0 0 3342 226

#Software: Microsoft Internet Information Services 6.0

#Version: 1.0

#Date: 2010-01-12 07:25:11

#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes

2010-01-12 07:25:10 W3SVC437 218.85.132.49 GET /index.htm – 80 – 98.126.112.74 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+GTB6;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0 3357 633

2010-01-12 07:25:10 W3SVC437 218.85.132.49 GET /images/top.gif – 80 – 98.126.112.74 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+GTB6;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0 2452 447

2010-01-12 07:25:12 W3SVC437 218.85.132.49 GET /images/arrow.gif – 80 – 98.126.112.74 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+GTB6;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0 429 449

2010-01-12 07:25:12 W3SVC437 218.85.132.49 GET /images/left.gif – 80 – 98.126.112.74 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+GTB6;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0 19177 448

2010-01-12 07:25:13 W3SVC437 218.85.132.49 GET /favicon.ico – 80 – 98.126.112.74 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+GTB6;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 404 0 2 1492 387

#Software: Microsoft Internet Information Services 6.0

#Version: 1.0

#Date: 2010-01-12 07:44:11

#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes

2010-01-12 07:44:11 W3SVC437 218.85.132.49 GET /index.htm – 80 – 174.139.75.26 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+QQPinyin+689;+InfoPath.2) 200 0 0 3357 507

2010-01-12 07:44:12 W3SVC437 218.85.132.49 GET /images/top.gif – 80 – 174.139.75.26 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+QQPinyin+689;+InfoPath.2) 200 0 0 2452 392

2010-01-12 07:44:12 W3SVC437 218.85.132.49 GET /images/left.gif – 80 – 174.139.75.26 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+QQPinyin+689;+InfoPath.2) 200 0 0 19177 393

2010-01-12 07:44:12 W3SVC437 218.85.132.49 GET /images/arrow.gif – 80 – 174.139.75.26 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+QQPinyin+689;+InfoPath.2) 200 0 0 429 394

#Software: Microsoft Internet Information Services 6.0

#Version: 1.0

#Date: 2010-01-12 18:23:31

#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes

2010-01-12 18:23:30 W3SVC437 218.85.132.49 GET /index.htm – 80 – 98.126.112.74 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 0 3357 294

#Software: Microsoft Internet Information Services 6.0

#Version: 1.0

#Date: 2010-01-13 02:16:01

#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes

2010-01-13 02:16:00 W3SVC437 218.85.132.49 GET /robots.txt – 80 – 98.126.112.74 Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp) 404 0 2 1492 334

#Software: Microsoft Internet Information Services 6.0

#Version: 1.0

#Date: 2010-01-13 08:08:53

#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes

2010-01-13 08:08:53 W3SVC437 218.85.132.49 GET /index.htm – 80 – 117.92.13.20 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+GTB6;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0 2376 524

2010-01-13 08:08:53 W3SVC437 218.85.132.49 GET /style.css – 80 – 117.92.13.20 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+GTB6;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0 1833 344

2010-01-13 08:08:56 W3SVC437 218.85.132.49 GET /flash.js – 80 – 117.92.13.20 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+GTB6;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0 1014 343

2010-01-13 08:08:56 W3SVC437 218.85.132.49 GET /img/bg.jpg – 80 – 117.92.13.20 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+GTB6;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0 1030 345

……………………之类的内容

那就来分析下日志

2010-01-13 08:08:56 W3SVC437 218.85.132.49 GET /img/bg.jpg – 80 – 117.92.13.20 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+GTB6;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 200 0 0 1030 345

比如这个日志

格式就是:

在2010-01-13 08:08:56秒的时候从服务器218.85.132.49获取了一个文件时img/bg.jpg获取者是117.92.13.20后面是他的浏览器信息

然后怎么查看是谁入侵的呢？

用CTRL+F里面输入一个-’- （去掉外面的-只留’)

时间很重要。现在是4月。3月的时候被入侵了。以3月1之前的日志可以不看

然后可以看到（以下日志为真实内容）

2010-03-25 10:53:47 W3SVC437 218.85.132.49 GET /products.asp typeID=107′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20”=’|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=107′_and_char(124)+user+char(124)=0_and_”=”_中。80 – 117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 243

2010-03-25 10:53:48 W3SVC437 218.85.132.49 GET /products.asp typeID=107%20and%20char(124)%2Buser%2Bchar(124)=0|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_表达式中_’char’_函数未定义。80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 229

2010-03-25 10:53:48 W3SVC437 218.85.132.49 GET /products.asp typeID=129′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20”=’|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=129′_and_char(124)+user+char(124)=0_and_”=”_中。80 – 117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 243

2010-03-25 10:53:48 W3SVC437 218.85.132.49 GET /products.asp typeID=129′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20′%25′=’|125|80040e14|[Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=129′_and_char(124)+user+char(124)=0_and_’%’=”_中。80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 246

2010-03-25 10:53:48 W3SVC437 218.85.132.49 GET /products.asp typeID=129%20and%20char(124)%2Buser%2Bchar(124)=0|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_表达式中_’char’_函数未定义。80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 229

2010-03-25 10:53:48 W3SVC437 218.85.132.49 GET /products.asp typeID=107′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20′%25′=’|125|80040e14|[Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=107′_and_char(124)+user+char(124)=0_and_’%’=”_中。80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 246

2010-03-25 10:53:48 W3SVC437 218.85.132.49 GET /products.asp typeID=107%20%61%6E%64%20%31%3D%31|132|800a000d|类型不匹配:_’selec’80 –117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 500 0 64 0 243

2010-03-25 10:53:48 W3SVC437 218.85.132.49 GET /products.asp typeID=129%20%61%6E%64%20%31%3D%31 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 64 0 243

2010-03-25 10:53:48 W3SVC437 218.85.132.49 GET /products.asp typeID=107%20%61%6E%64%20%31%3D%32 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 64 0 243

2010-03-25 10:53:48 W3SVC437 218.85.132.49 GET /products.asp typeID=129%20%61%6E%64%20%31%3D%32 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 64 0 243

2010-03-25 10:53:48 W3SVC437 218.85.132.49 GET /products.asp typeID=107′%20and%201=1%20and%20”=’|125|80040e14|[Microsoft] [ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=107′_and_1=1_and_”=”_中。80 –117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 500 0 64 0 245

2010-03-25 10:53:48 W3SVC437 218.85.132.49 GET /products.asp typeID=129′%20and%201=1%20and%20”=’|125|80040e14|[Microsoft] [ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=129′ _and_1=1_and_”=”_中。80 –117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 500 0 64 0 245

2010-03-25 10:53:53 W3SVC437 218.85.132.49 GET /products.asp typeID=230 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) 200 0 0 2311 683

2010-03-25 10:53:53 W3SVC437 218.85.132.49 GET /products.asp typeID=230′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20”=’|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=230′_and_char(124)+user+char(124)=0_and_”=”_中。80 – 117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 243

2010-03-25 10:53:54 W3SVC437 218.85.132.49 GET /products.asp typeID=230%20and%20char(124)%2Buser%2Bchar(124)=0|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_表达式中_’char’_函数未定义。80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 229

2010-03-25 10:53:54 W3SVC437 218.85.132.49 GET /products.asp typeID=230%20%61%6E%64%20%31%3D%31 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 64 0 243

2010-03-25 10:53:54 W3SVC437 218.85.132.49 GET /products.asp typeID=230′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20′%25′=’|125|80040e14|[Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=230′_and_char(124)+user+char(124)=0_and_’%’=”_中。80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 246

2010-03-25 10:53:54 W3SVC437 218.85.132.49 GET /products.asp typeID=230%20%61%6E%64%20%31%3D%32 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 64 0 243

2010-03-25 10:53:54 W3SVC437 218.85.132.49 GET /products.asp typeID=230′%20and%201=1%20and%20”=’|125|80040e14|[Microsoft] [ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=230′_and_1=1_and_”=”_中。80 –117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 500 0 64 0 245

2010-03-25 10:53:55 W3SVC437 218.85.132.49 GET /products.asp typeID=228 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) 200 0 0 2312 683

2010-03-25 10:53:56 W3SVC437 218.85.132.49 GET /products.asp typeID=228′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20”=’|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=228′_and_char(124)+user+char(124)=0_and_”=”_中。80 – 117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 243

2010-03-25 10:53:56 W3SVC437 218.85.132.49 GET /products.asp typeID=228%20and%20char(124)%2Buser%2Bchar(124)=0|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_表达式中_’char’_函数未定义。80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 229

2010-03-25 10:53:56 W3SVC437 218.85.132.49 GET /products.asp typeID=228′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20′%25′=’|125|80040e14|[Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=228′_and_char(124)+user+char(124)=0_and_’%’=”_中。80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 246

2010-03-25 10:53:56 W3SVC437 218.85.132.49 GET /products.asp typeID=228%20%61%6E%64%20%31%3D%31 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 64 0 243

2010-03-25 10:53:56 W3SVC437 218.85.132.49 GET /products.asp typeID=228%20%61%6E%64%20%31%3D%32 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 64 0 243

2010-03-25 10:53:57 W3SVC437 218.85.132.49 GET /products.asp typeID=228′%20and%201=1%20and%20”=’|125|80040e14|[Microsoft] [ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=228′_and_1=1_and_”=”_中。80 –117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 500 0 64 0 245

2010-03-25 10:53:57 W3SVC437 218.85.132.49 GET /products.asp typeID=226 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) 200 0 0 2312 683

2010-03-25 10:53:57 W3SVC437 218.85.132.49 GET /products.asp typeID=226′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20”=’|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=226′_and_char(124)+user+char(124)=0_and_”=”_中。80 – 117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 244

2010-03-25 10:53:57 W3SVC437 218.85.132.49 GET /products.asp typeID=226%20and%20char(124)%2Buser%2Bchar(124)=0|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_表达式中_’char’_函数未定义。80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 230

2010-03-25 10:53:58 W3SVC437 218.85.132.49 GET /products.asp typeID=226′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20′%25′=’|125|80040e14|[Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=226′_and_char(124)+user+char(124)=0_and_’%’=”_中。 80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 247

2010-03-25 10:53:58 W3SVC437 218.85.132.49 GET /products.asp typeID=226%20%61%6E%64%20%31%3D%31 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 64 0 244

2010-03-25 10:53:58 W3SVC437 218.85.132.49 GET /products.asp typeID=226%20%61%6E%64%20%31%3D%32 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 64 0 244

2010-03-25 10:53:58 W3SVC437 218.85.132.49 GET /products.asp typeID=226′%20and%201=1%20and%20”=’|125|80040e14|[Microsoft] [ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=226′_and_1=1_and_”=”_中。80 –117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 500 0 64 0 246

2010-03-25 10:53:59 W3SVC437 218.85.132.49 GET /products.asp typeID=129 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) 200 0 0 2309 684

2010-03-25 10:53:59 W3SVC437 218.85.132.49 GET /products.asp typeID=129′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20”=’|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=129′_and_char(124)+user+char(124)=0_and_”=”_中。80 – 117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 244

2010-03-25 10:53:59 W3SVC437 218.85.132.49 GET /products.asp typeID=129%20and%20char(124)%2Buser%2Bchar(124)=0|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_表达式中_’char’_函数未定义。80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 230

2010-03-25 10:53:59 W3SVC437 218.85.132.49 GET /products.asp typeID=129′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20′%25′=’|125|80040e14|[Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=129′_and_char(124)+user+char(124)=0_and_’%’=”_中。80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 247

2010-03-25 10:53:59 W3SVC437 218.85.132.49 GET /products.asp typeID=129%20%61%6E%64%20%31%3D%31 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 64 2048 244

2010-03-25 10:54:00 W3SVC437 218.85.132.49 GET /products.asp typeID=129%20%61%6E%64%20%31%3D%32 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 64 0 244

2010-03-25 10:54:00 W3SVC437 218.85.132.49 GET /products.asp typeID=129′%20and%201=1%20and%20”=’|125|80040e14|[Microsoft] [ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=129′_and_1=1_and_”=”_中。80 –117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 500 0 64 0 246

2010-03-25 10:54:02 W3SVC437 218.85.132.49 GET /products.asp typeID=111 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30) 200 0 0 2303 670

2010-03-25 10:54:02 W3SVC437 218.85.132.49 GET /products.asp typeID=111′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20”=’|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=111′_and_char(124)+user+char(124)=0_and_”=”_中。80 – 117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 244

2010-03-25 10:54:02 W3SVC437 218.85.132.49 GET /products.asp typeID=111%20and%20char(124)%2Buser%2Bchar(124)=0|125|80040e14| [Microsoft][ODBC_Microsoft_Access_Driver]_表达式中_’char’_函数未定义。80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 230

2010-03-25 10:54:02 W3SVC437 218.85.132.49 GET /products.asp typeID=111′%20and%20char(124)%2Buser%2Bchar(124)=0%20and%20′%25′=’|125|80040e14|[Microsoft][ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=111′_and_char(124)+user+char(124)=0_and_’%’=”_中。80 –117.84.25.205 Internet+Explorer+6.0 500 0 0 2074 247

2010-03-25 10:54:02 W3SVC437 218.85.132.49 GET /products.asp typeID=111%20%61%6E%64%20%31%3D%31|132|800a000d|类型不匹配:_’selec’80 –117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 500 0 64 0 244

2010-03-25 10:54:03 W3SVC437 218.85.132.49 GET /products.asp typeID=111%20%61%6E%64%20%31%3D%32 80 – 117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 64 2048 244

2010-03-25 10:54:03 W3SVC437 218.85.132.49 GET /products.asp typeID=111′%20and%201=1%20and%20”=’|125|80040e14|[Microsoft] [ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=111′_and_1=1_and_”=”_中。80 –117.84.25.205 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 500 0 64 0 246

按照以上的格式，可以看出2010-03-25 10:54:03的时候从服务器218.85.132.49获取了一个文件，文件是/products.asp参数是“typeID=111′%20and%201=1%20and%20”=’”但服务器返回了错误的信息“|125|80040e14|[Microsoft] [ODBC_Microsoft_Access_Driver]_语法错误_(操作符丢失)_在查询表达式_’typeID=111′_and_1=1_and_”=”_中”，获取者是117.84.25.205

然后看日志。一大堆都是这些内容。可以看出这个人用了明小子或者啊D之类的注入工具。他在猜表。然后把这个IP：117.84.25.205到查ip的站看一下。确定他是不是挂了VPN

您查询的IP是：117.84.25.205 来自：江苏省无锡市 电信

看来不是VPN。分析到此结束。