Does the problem re-occur reliably, and if so, can you put a sniffer on the segment and catch the traffic at the time of the incident? ----- Original Message ----- From: "Keith.Morgan" <Keith.Morganat_private> To: "'Mike Shaw'" <mshawat_private>; <incidentsat_private> Sent: Monday, November 12, 2001 1:18 PM Subject: RE: IIS (Possible DoS floating around) > I've fully reviewed all event logs, webserver logs, IDS and firewall logs > for the day of the crash. I can't find a cause, only a symptom. Here is an > exerpt from the w3svc logs: > > 2001-11-10 15:41:27 remoteip - localip 80 GET /index.cfm > Out-of-process+ISAPI+extension+request+failed. 500 Mozilla/4.0+(c > ompatible;+MSIE+5.5;+AOL+6.0;+Windows+98;+Win+9x+4.90) > > At least in the incidents with which I'm familiar, at least the w3svc, > ftpsvc, and cold fusion are running on the machines. There was a *possible* > time co-incidence with an FTP connection that (according to the log entries) > dropped with an error. > > > > > -----Original Message----- > > From: Mike Shaw [mailto:mshawat_private] > > Sent: Monday, November 12, 2001 1:03 PM > > To: Keith.Morgan; 'incidentsat_private' > > Subject: Re: IIS (Possible DoS floating around) > > > > > > Any further info on system configurations? ISAPI mappings, installed > > software (perl, cold fusion...), running services? > > > > -Mike > > > > At 12:27 PM 11/12/2001 -0500, Keith.Morgan wrote: > > >The focus-ms list is hopping a little regarding some strange > > behaviour from > > >IIS. > > > > > >The symptoms: > > >IIS continues to run (or sometimes crashes), but the common > > thread is that > > >the port is closed. > > > > > >After recieving a report on focus-ms, and having this same > > behaviour occur > > >on one of our webservers, I contacted a friend who runs a > > (logically) nearby > > >network. He indicated that the same problem had occurred on > > some of thier > > >servers. > > > > > >I'm currently pouring over logs attempting to locate > > anything out of the > > >ordinary. > > > > > >Just a note for all those that will say "make sure you've > > applied patches or > > >run the hfnetchk:" Our servers are at completely current > > patch levels. > > > > > > > > >Keith T. Morgan > > >Chief of Information Security > > >Terradon Communications > > >keith.morganat_private > > >304-755-8291 x142 > > > > > > > > >------------------------------------------------------------- > > --------------- > > >This list is provided by the SecurityFocus ARIS analyzer service. > > >For more information on this free incident handling, management > > >and tracking system please see: http://aris.securityfocus.com > > > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 13:02:36 PST