search

DFIRKuiper / Kuiper

Digital Forensics Investigation Platform
764 stars 111 forks source link

IIS Access Logs Parser failed because of 'utf8' codec #111

Open congtrung2k1 opened 1 year ago

congtrung2k1 commented 1 year ago

When I parse the IIS Access Logs, the error appears and says:

[-] [Error] IIS Access Logs Parser: 'utf8' codec can't decode byte 0xc0 in position 2: invalid start byte - Line No. 68   Here is the access log content, which is attacked by LFI attack:

2023-08-23 00:00:00 172.27.2.17 GET /DependencyHandler.axd/8eeace64d63c39921d09c839c5a63e89/4/%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afwindows/win.ini - 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 404 11 0 187 2023-08-23 00:00:00 172.27.2.17 GET /DesktopModules/Admin/languages/images/nusoap - 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 404 0 2 187 2023-08-23 00:00:00 172.27.2.17 GET /DesktopModules/Admin/console/scripts/player - 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 404 0 2 187 2023-08-23 00:00:00 172.27.2.17 POST /Default.aspx TabId=85&language=vi-VN 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 200 0 0 203 2023-08-23 00:00:00 172.27.2.17 GET /Portals/_default/Skins/Assets/css/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd - 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 404 11 0 187 2023-08-23 00:00:00 172.27.2.17 POST /Default.aspx TabId=85&language=vi-VN&returnurl=%2fru-ru%2fsasscascdsd 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 200 0 0 187 2023-08-23 00:00:00 172.27.2.17 POST /Default.aspx TabId=85&language=vi-VN&returnurl=%2fvi-vn%2fdong-hanh-ho-tro-kh-kho-khan 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 200 0 0 187 2023-08-23 00:00:00 172.27.2.17 POST /Default.aspx TabId=85&language=vi-VN&returnurl=%2fru-ru%2fsasscascdsd%22%7c%7csleep(271000)mhozpj%7c%7c%22 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 200 0 0 203 2023-08-23 00:00:00 172.27.2.17 POST /Default.aspx TabId=85&language=vi-VN&returnurl=%2fru-ru%2fsasscascdsd 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 200 0 0 203 2023-08-23 00:00:00 172.27.2.17 GET /DependencyHandler.axd/0fcf5b709d7750f2b8456f96a256411f/4/À®À®À¯À®À®À¯À®À®À¯À®À®À¯À®À®À¯À®À®À¯À®À®À¯À®À®À¯À®À®À¯À®À®À¯À®À®À¯À®À®À¯À®À®À¯À®À®À¯À®À®À¯À®À®À¯/etc/passwd - 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 404 0 0 202 2023-08-23 00:00:00 172.27.2.17 POST /Default.aspx TabId=85&language=ru-RU 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 200 0 0 203 2023-08-23 00:00:00 172.27.2.17 POST /Default.aspx TabId=85&language=ru-RU&returnurl=%2fru-ru%2fsasscascdsd 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 200 0 0 187 2023-08-23 00:00:01 172.27.2.17 GET /DesktopModules/Admin/languages/images/docs - 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 404 0 2 187 2023-08-23 00:00:01 172.27.2.17 GET /Default.aspx TabId=85&language=ru-RU 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 200 0 0 187 2023-08-23 00:00:01 172.27.2.17 GET /Default.aspx tabid=85&error=An+unexpected+error+has+occurred&content=0 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 200 0 0 187 2023-08-23 00:00:01 172.27.2.17 GET /Portals/_default/Skins/Assets/css/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/etc/passwd - 443 - 5.253.43.24 User-Agent:+Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+360SE) - 404 0 0 187

Have any suggestions for fixing this bug?

salehmuhaysin commented 11 months ago

hello not sure what is the problem because i tried to copy and paste the logs you provided but works image

could you share the same file or the part of logs that failed as a file, maybe with text log it did not copy the failed command 0xc0

IUSecHCMIU commented 11 months ago

hello not sure what is the problem because i tried to copy and paste the logs you provided but works image

could you share the same file or the part of logs that failed as a file, maybe with text log it did not copy the failed command 0xc0

Here is it: u_ex230719.log