RE: IIS (Possible DoS floating around)

From: Keith.Morgan (Keith.Morganat_private)
Date: Mon Nov 12 2001 - 10:18:27 PST

Next message: Shoten: "Re: IIS (Possible DoS floating around)"

Previous message: Mike Shaw: "Re: IIS (Possible DoS floating around)"
Maybe in reply to: Keith.Morgan: "IIS (Possible DoS floating around)"
Next in thread: Shoten: "Re: IIS (Possible DoS floating around)"
Reply: Shoten: "Re: IIS (Possible DoS floating around)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've fully reviewed all event logs, webserver logs, IDS and firewall logs
for the day of the crash.  I can't find a cause, only a symptom.  Here is an
exerpt from the w3svc logs:

2001-11-10 15:41:27 remoteip - localip 80 GET /index.cfm
Out-of-process+ISAPI+extension+request+failed. 500 Mozilla/4.0+(c
ompatible;+MSIE+5.5;+AOL+6.0;+Windows+98;+Win+9x+4.90)

At least in the incidents with which I'm familiar, at least the w3svc,
ftpsvc, and cold fusion are running on the machines.  There was a *possible*
time co-incidence with an FTP connection that (according to the log entries)
dropped with an error.  



> -----Original Message-----
> From: Mike Shaw [mailto:mshawat_private]
> Sent: Monday, November 12, 2001 1:03 PM
> To: Keith.Morgan; 'incidentsat_private'
> Subject: Re: IIS (Possible DoS floating around)
> 
> 
> Any further info on system configurations?  ISAPI mappings, installed 
> software (perl, cold fusion...), running services?
> 
> -Mike
> 
> At 12:27 PM 11/12/2001 -0500, Keith.Morgan wrote:
> >The focus-ms list is hopping a little regarding some strange 
> behaviour from
> >IIS.
> >
> >The symptoms:
> >IIS continues to run (or sometimes crashes), but the common 
> thread is that
> >the port is closed.
> >
> >After recieving a report on focus-ms, and having this same 
> behaviour occur
> >on one of our webservers, I contacted a friend who runs a 
> (logically) nearby
> >network.  He indicated that the same problem had occurred on 
> some of thier
> >servers.
> >
> >I'm currently pouring over logs attempting to locate 
> anything out of the
> >ordinary.
> >
> >Just a note for all those that will say "make sure you've 
> applied patches or
> >run the hfnetchk:" Our servers are at completely current 
> patch levels.
> >
> >
> >Keith T. Morgan
> >Chief of Information Security
> >Terradon Communications
> >keith.morganat_private
> >304-755-8291 x142
> >
> >
> >-------------------------------------------------------------
> ---------------
> >This list is provided by the SecurityFocus ARIS analyzer service.
> >For more information on this free incident handling, management
> >and tracking system please see: http://aris.securityfocus.com
> 
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Shoten: "Re: IIS (Possible DoS floating around)"
Previous message: Mike Shaw: "Re: IIS (Possible DoS floating around)"
Maybe in reply to: Keith.Morgan: "IIS (Possible DoS floating around)"
Next in thread: Shoten: "Re: IIS (Possible DoS floating around)"
Reply: Shoten: "Re: IIS (Possible DoS floating around)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 10:33:50 PST