We haven't seen it re-occuring. Apparently several sites were hit over the weekend. We're also currently running a sniffer on the segment in addition to the IDS (which missed this by the way). Also, this is assuming that it is in actuality a DoS and not a strings of coincidences. I'm not a firm believer in coincidence. > -----Original Message----- > From: Shoten [mailto:shotenat_private] > Sent: Monday, November 12, 2001 2:03 PM > To: Keith.Morgan; 'Mike Shaw'; incidentsat_private > Subject: Re: IIS (Possible DoS floating around) > > > Does the problem re-occur reliably, and if so, can you put a > sniffer on the > segment and catch the traffic at the time of the incident? > > ----- Original Message ----- > From: "Keith.Morgan" <Keith.Morganat_private> > To: "'Mike Shaw'" <mshawat_private>; <incidentsat_private> > Sent: Monday, November 12, 2001 1:18 PM > Subject: RE: IIS (Possible DoS floating around) > > > > I've fully reviewed all event logs, webserver logs, IDS and > firewall logs > > for the day of the crash. I can't find a cause, only a > symptom. Here is > an > > exerpt from the w3svc logs: > > > > 2001-11-10 15:41:27 remoteip - localip 80 GET /index.cfm > > Out-of-process+ISAPI+extension+request+failed. 500 Mozilla/4.0+(c > > ompatible;+MSIE+5.5;+AOL+6.0;+Windows+98;+Win+9x+4.90) > > > > At least in the incidents with which I'm familiar, at least > the w3svc, > > ftpsvc, and cold fusion are running on the machines. There was a > *possible* > > time co-incidence with an FTP connection that (according to the log > entries) > > dropped with an error. > > > > > > > > > -----Original Message----- > > > From: Mike Shaw [mailto:mshawat_private] > > > Sent: Monday, November 12, 2001 1:03 PM > > > To: Keith.Morgan; 'incidentsat_private' > > > Subject: Re: IIS (Possible DoS floating around) > > > > > > > > > Any further info on system configurations? ISAPI > mappings, installed > > > software (perl, cold fusion...), running services? > > > > > > -Mike > > > > > > At 12:27 PM 11/12/2001 -0500, Keith.Morgan wrote: > > > >The focus-ms list is hopping a little regarding some strange > > > behaviour from > > > >IIS. > > > > > > > >The symptoms: > > > >IIS continues to run (or sometimes crashes), but the common > > > thread is that > > > >the port is closed. > > > > > > > >After recieving a report on focus-ms, and having this same > > > behaviour occur > > > >on one of our webservers, I contacted a friend who runs a > > > (logically) nearby > > > >network. He indicated that the same problem had occurred on > > > some of thier > > > >servers. > > > > > > > >I'm currently pouring over logs attempting to locate > > > anything out of the > > > >ordinary. > > > > > > > >Just a note for all those that will say "make sure you've > > > applied patches or > > > >run the hfnetchk:" Our servers are at completely current > > > patch levels. > > > > > > > > > > > >Keith T. Morgan > > > >Chief of Information Security > > > >Terradon Communications > > > >keith.morganat_private > > > >304-755-8291 x142 > > > > > > > > > > > >------------------------------------------------------------- > > > --------------- > > > >This list is provided by the SecurityFocus ARIS analyzer service. > > > >For more information on this free incident handling, management > > > >and tracking system please see: http://aris.securityfocus.com > > > > > > > > > > > -------------------------------------------------------------- > ------------ > -- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 15:10:19 PST