Security Basics mailing list archives
RE: random IIS stops and restarts
From: "dave kleiman" <dave () netmedic net>
Date: Thu, 9 Oct 2003 18:30:43 -0400
Event ID 2 coupled with ID 1; often indicate the Code Red Worm or one of its variants. You will see 1 a restart command followed by 2 a stop command over and over again in the logs. I would do a check if you find no infestation then try disabling the auto-restart "IISRESET /DISABLE" If you are seeing events about some of the other IIS services terminating unexpectedly in the same time-frame, you probably are infected. _____________________ Dave Kleiman secure () netmedic net www.SecurityBreachResponse.com "High achievement always takes place in the framework of high expectation." Jack Kinder -----Original Message----- From: Craig Janssen [mailto:cjanssen () mail millikin edu] Sent: Thursday, October 09, 2003 10:24 To: > Subject: random IIS stops and restarts This has been happening on one of my IIS web servers for a few days, and it just happened again on a second server yesterday. All the processes associated with IIS shutdown for a few seconds and then restarts by itself. A system Error event is logged for each IIS process as it is killed (i.e. W3SVC, SMTPSVC, FTPSVC), and an informational event is logged for the IIS shutdown: Date: 10/8/2003 Time: 14:54 Source: IISCTLS Category: None Event ID: 2 IIS stop command received from user NT AUTHORITY\SYSTEM. The logged data is the status code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. and another as it restarts: Date: 10/8/2003 Time:14:54 Source: IISCTLS Category: None Event ID: 1 IIS start command received from user NT AUTHORITY\SYSTEM. The logged data is the status code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. Also, I'm not sure if it's related or not, but there was a transaction logged in the W3SVC log right before the service shutdown and restarted. I couldn't find anything else unusual in any of the other website logs for the time period: 2003-10-08 19:54:10 <source IP> - <destination IP> 80 POST /scripts/nsiislog.dll Out-of-process+ISAPI+extension+request+failed. 503 NSPlayer/4.1.0.3917 2003-10-08 19:54:10 <source IP> - <destination IP> 80 POST /scripts/nsiislog.dll Out-of-process+ISAPI+extension+request+failed. 503 NSPlayer/4.1.0.3917 I've googled, checked EventID.net, and Microsoft's knowledgebase. All I could find regarding the nsiislog.dll incident was an old exploit posted to Neohapsis back in May for MS03-019 regarding Windows Media services, which I don't even have installed on the server, so I don't think it's related. Any ideas? Do I have a possible intruder or malicious code on the server, or is it just recovering from an external IIS attack? I'm running Win2k server SP3 with all the latest MS security patches applied and NAI VirusScan Enterprise 7 with the latest DAT's. It's not causing any detrimental effects to our website, as the IIS process only goes down for a matter of seconds, but any insight would be greatly appreciated! Thanks, Craig ______________________________ Craig Janssen, MCP, A+ Network and Internet Services Manager Millikin University Information Technology Dept (217) 362-6488 cjanssen () mail millikin edu --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- random IIS stops and restarts Craig Janssen (Oct 09)
- RE: random IIS stops and restarts dave kleiman (Oct 09)
- Re: random IIS stops and restarts Karma (Oct 09)