IIS 404 Error — Page Not Found

WebServerErrors IIS Reconnaissance / Scanning

What This Means

Analyze IIS HTTP 404 Not Found errors. Distinguish between benign broken links and active reconnaissance where attackers probe your web server for vulnerabilities.

Example Log

2026-03-08 16:05:12 W3SVC1 WEB01 10.0.1.50 GET /wp-login.php - 443 - 198.51.100.77 Mozilla/5.0 - 404 0 2 187

Indicators of Suspicious Activity

404 requests targeting CMS-specific paths (/wp-login.php, /administrator, /wp-admin)
Requests for common vulnerability paths (/phpmyadmin, /.env, /actuator, /config.php)
High 404 rate from a single IP suggesting automated directory bruteforcing
404 requests with suspicious query strings containing SQL or script fragments
Requests for paths associated with known exploits or CVEs
Scanning patterns — sequential probing of common paths in alphabetical order

How to Investigate

Filter IIS logs for 404 responses and group by client IP to identify scanners
Review the requested URIs for vulnerability scanning patterns
Check if the scanned paths correspond to any actual applications on the server
Correlate the scanning IP with threat intelligence feeds
Review if any 404 patterns transition to 200/301 indicating discovered content
Check server response times — slow 404s may indicate server-side processing of malicious input

Recommended Mitigations

Return generic custom 404 pages that do not reveal server technology or framework
Implement rate limiting to throttle excessive 404 requests from single IPs
Block known vulnerability scanner User-Agent strings at the WAF
Use IIS Request Filtering to reject requests for non-existent file extensions
Monitor and alert on IPs generating more than 50 404s per minute
Consider deploying a honeypot path that triggers alerts when accessed

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 9 + 3?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Run Smart Scan

Related Log Types

Related Attack Patterns

Frequently Asked Questions

Are 404 errors a security concern? ▼

Individual 404s from broken links are harmless. However, a pattern of 404 errors targeting known vulnerability paths from a single IP is a strong indicator of automated reconnaissance against your server.

How can I tell if 404s are from an attacker vs broken links? ▼

Check the requested URIs. Broken links target pages that used to exist on your site. Attacker scans target generic vulnerability paths like /wp-login.php, /.env, /phpmyadmin that may not relate to your application at all.

Should I block IPs that generate many 404s? ▼

Yes, but use thresholds to avoid blocking legitimate crawlers. A good rule: block IPs generating more than 100 404s in 10 minutes, while allowing known search engine bot IPs.