I have the same problem (two times with 6hs. of difference) described in the last saturday 11/nov. In my logs i can see this: 2001-11-11 02:02:52 148.233.179.134 xx.xx.xx.xx (my ip) GET /privacy.asp |-|ASP_0115|Unexpected_error 200 0 280 also, in the event viewer (i log the asp errors) i have this entries at the moment: "Error: File /default.asp Unexpected error " After the problem, i reboot the box and the problem not come again. ---- Ezequiel Diaz-Pacheco alienduceat_private ----- Original Message ----- From: "Shoten" <shotenat_private> To: "Keith.Morgan" <Keith.Morganat_private>; "'Mike Shaw'" <mshawat_private>; <incidentsat_private> Sent: Monday, November 12, 2001 16:02 Subject: Re: IIS (Possible DoS floating around) > Does the problem re-occur reliably, and if so, can you put a sniffer on the > segment and catch the traffic at the time of the incident? > > ----- Original Message ----- > From: "Keith.Morgan" <Keith.Morganat_private> > To: "'Mike Shaw'" <mshawat_private>; <incidentsat_private> > Sent: Monday, November 12, 2001 1:18 PM > Subject: RE: IIS (Possible DoS floating around) > > > > I've fully reviewed all event logs, webserver logs, IDS and firewall logs > > for the day of the crash. I can't find a cause, only a symptom. Here is > an > > exerpt from the w3svc logs: > > > > 2001-11-10 15:41:27 remoteip - localip 80 GET /index.cfm > > Out-of-process+ISAPI+extension+request+failed. 500 Mozilla/4.0+(c > > ompatible;+MSIE+5.5;+AOL+6.0;+Windows+98;+Win+9x+4.90) > > > > At least in the incidents with which I'm familiar, at least the w3svc, > > ftpsvc, and cold fusion are running on the machines. There was a > *possible* > > time co-incidence with an FTP connection that (according to the log > entries) > > dropped with an error. > > > > > > > > > -----Original Message----- > > > From: Mike Shaw [mailto:mshawat_private] > > > Sent: Monday, November 12, 2001 1:03 PM > > > To: Keith.Morgan; 'incidentsat_private' > > > Subject: Re: IIS (Possible DoS floating around) > > > > > > > > > Any further info on system configurations? ISAPI mappings, installed > > > software (perl, cold fusion...), running services? > > > > > > -Mike > > > > > > At 12:27 PM 11/12/2001 -0500, Keith.Morgan wrote: > > > >The focus-ms list is hopping a little regarding some strange > > > behaviour from > > > >IIS. > > > > > > > >The symptoms: > > > >IIS continues to run (or sometimes crashes), but the common > > > thread is that > > > >the port is closed. > > > > > > > >After recieving a report on focus-ms, and having this same > > > behaviour occur > > > >on one of our webservers, I contacted a friend who runs a > > > (logically) nearby > > > >network. He indicated that the same problem had occurred on > > > some of thier > > > >servers. > > > > > > > >I'm currently pouring over logs attempting to locate > > > anything out of the > > > >ordinary. > > > > > > > >Just a note for all those that will say "make sure you've > > > applied patches or > > > >run the hfnetchk:" Our servers are at completely current > > > patch levels. > > > > > > > > > > > >Keith T. Morgan > > > >Chief of Information Security > > > >Terradon Communications > > > >keith.morganat_private > > > >304-755-8291 x142 > > > > > > > > > > > >------------------------------------------------------------- > > > --------------- > > > >This list is provided by the SecurityFocus ARIS analyzer service. > > > >For more information on this free incident handling, management > > > >and tracking system please see: http://aris.securityfocus.com > > > > > > > > > > -------------------------------------------------------------------------- > -- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 14:03:35 PST