If a HTTP client doesn't give a HTTP Host header when communicating with your web server, IIS 6 will output the IP address of your web server in the returned HTTP headers:
HTTP/1.1 200 OK
Content-Length: 4835
Content-Type: text/html
Content-Location: http://<your server IP address here>/index.html
Last-Modified: Tue, 26 Sep 2006 03:35:29 GMT
Accept-Ranges: bytes
ETag: "704349d01ce1c61:1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 26 Sep 2006 04:32:57 GMT
Connection: close
In addition to revealing the IP in the HTTP Content-Location header, it may also display it in redirection responses in the HTTP Location header like the following:
HTTP/1.1 301 Moved Permanently
Content-Length: 153
Content-Type: text/html
Location: http://<your server IP address here>/subdir/
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 26 Sep 2006 07:21:44 GMT
Connection: close
If you're behind a firewall or NAT, that IP address may be an internal address that you may not want to reveal to potential attackers (if they don't need it for anything legitimate, why reveal it?). To prevent IIS from revealing this info, there is a knowledgebase article.
Tips:
- The KB article says to get a hotfix, but I was able to get it to work without installing any special hotfix.
- To do the steps in the article, you need the IIS "site identifier" number. To get that, run:
cscript %windir%\system32\iisweb.vbs /query - Ultimately, to configure IIS to stop revealing this info, you just need to run:
cscript %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs SET W3SVC/<site identifier>/SetHostName <what you want shown instead of the IP>