Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IIS (Possible DoS floating around)

From: "Ezequiel Diaz-Pacheco" <tempo () stec com ar>
Date: Mon, 12 Nov 2001 18:58:55 -0300
I have the same problem (two times with 6hs. of difference) described in the
last saturday 11/nov. In my logs i can see this:

2001-11-11 02:02:52 148.233.179.134 xx.xx.xx.xx (my ip) GET /privacy.asp
|-|ASP_0115|Unexpected_error 200 0 280

also, in the event viewer (i log the asp errors) i have this entries at the
moment:

"Error: File /default.asp  Unexpected error "

After the problem, i reboot the box and the problem not come again.

----
Ezequiel Diaz-Pacheco
alienduce () stec com ar




----- Original Message -----
From: "Shoten" <shoten () starpower net>
To: "Keith.Morgan" <Keith.Morgan () Terradon com>; "'Mike Shaw'"
<mshaw () wwisp com>; <incidents () securityfocus com>
Sent: Monday, November 12, 2001 16:02
Subject: Re: IIS (Possible DoS floating around)



Does the problem re-occur reliably, and if so, can you put a sniffer on

the

segment and catch the traffic at the time of the incident?

----- Original Message -----
From: "Keith.Morgan" <Keith.Morgan () Terradon com>
To: "'Mike Shaw'" <mshaw () wwisp com>; <incidents () securityfocus com>
Sent: Monday, November 12, 2001 1:18 PM
Subject: RE: IIS (Possible DoS floating around)



I've fully reviewed all event logs, webserver logs, IDS and firewall

logs

for the day of the crash.  I can't find a cause, only a symptom.  Here

is

an

exerpt from the w3svc logs:

2001-11-10 15:41:27 remoteip - localip 80 GET /index.cfm
Out-of-process+ISAPI+extension+request+failed. 500 Mozilla/4.0+(c
ompatible;+MSIE+5.5;+AOL+6.0;+Windows+98;+Win+9x+4.90)

At least in the incidents with which I'm familiar, at least the w3svc,
ftpsvc, and cold fusion are running on the machines.  There was a

*possible*

time co-incidence with an FTP connection that (according to the log

entries)

dropped with an error.




-----Original Message-----
From: Mike Shaw [mailto:mshaw () wwisp com]
Sent: Monday, November 12, 2001 1:03 PM
To: Keith.Morgan; 'incidents () securityfocus com'
Subject: Re: IIS (Possible DoS floating around)


Any further info on system configurations?  ISAPI mappings, installed
software (perl, cold fusion...), running services?

-Mike

At 12:27 PM 11/12/2001 -0500, Keith.Morgan wrote:

The focus-ms list is hopping a little regarding some strange

behaviour from

IIS.

The symptoms:
IIS continues to run (or sometimes crashes), but the common

thread is that

the port is closed.

After recieving a report on focus-ms, and having this same

behaviour occur

on one of our webservers, I contacted a friend who runs a

(logically) nearby

network.  He indicated that the same problem had occurred on

some of thier

servers.

I'm currently pouring over logs attempting to locate

anything out of the

ordinary.

Just a note for all those that will say "make sure you've

applied patches or

run the hfnetchk:" Our servers are at completely current

patch levels.



Keith T. Morgan
Chief of Information Security
Terradon Communications
keith.morgan () terradon com
304-755-8291 x142


-------------------------------------------------------------

---------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com







--------------------------------------------------------------------------
--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: