WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Webserver problems

From: "John Fisher" <fisherjc () ameritech net>
Date: Wed, 8 Sep 2004 23:33:06 -0400


It appears that one of our web servers was compromised, malware was
found on the server. Taken from the event log, the event below suggests
that a buffer overflow was their 1st attack. Has anyone else seen
anything like this and am I right in thinking this suggests a buffer
overflow.

Thanks

John Fisher

Event Type:     Error
Event Source:   WAM
Event Category: None
Event ID:       204
Date:           8/24/2004
Time:           2:12:26 PM
User:           N/A
Computer:       webserver1
Description:
The HTTP server encountered an unhandled exception while processing the
ISAPI Application '
sspifilt!TerminateFilter + 0x9C8
sspifilt!HttpFilterProc + 0x1FF
w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR
*,unsigned long,int) + 0x2006
w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR
*,unsigned long,int) + 0x2BAB
w3svc!HTTP_REQ_BASE::WriteFile(void *,unsigned long,unsigned long
*,unsigned long) + 0x71
w3svc!_WamDictatorDumpInfo@8 + 0x2F8B
wam + 0x8459
sasweb + 0x1A541
sasweb!HttpExtensionProc + 0x1E6A
wam!DllCanUnloadNow + 0x636
wam!DllCanUnloadNow + 0x20C
w3svc!HTTP_HEADERS::FindValue(char const *,unsigned long *) + 0xE2
w3svc!STR::Copy(char const *,unsigned long) + 0xC71
w3svc!STR::Copy(char const *,unsigned long) + 0xB49
w3svc!STR::Copy(char const *,unsigned long) + 0x9A2
w3svc!CLIENT_CONN::OnSessionStartup(int *,void *,unsigned long,int) +
0x642
w3svc!HTTP_HEADERS::Reset(void) + 0x1CA
w3svc!STR::Copy(char const *,unsigned long) + 0x16EF
ISATQ!CDirMonitor::RemoveEntry(class CDirMonitorEntry *) + 0x13A
 + 0x69FEF168
'. 
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.
Previous By Date Next
Previous By Thread Next

Current thread: