WebApp Sec mailing list archives
Re: Webserver problems
From: Mike Kalinovich <polaryzed () gmail com>
Date: Fri, 10 Sep 2004 10:42:05 -0400
The sspifilt is built in to all IIS servers. It's the isapi filter that controls SSL, and probably much more than I know right now. It also has quite a few exploits available for it. http://www.unital.com/research/ms_ssl_pct.pdf http://www.securityfocus.com/bid/10115 Windows logs are generally quite useless when it comes to tracking down specifics about who broke into what (most people who break in on purpose don't leave logs for you to find). I would highly recommend you image the drive first, rebuild the server (since once you're compromised, you have no idea what else has been installed or done to it), then install URLScan and fully patch your system. As well a software firewall like Sygate would definitely help protect. (or if you have hardware firewalls, get them tuned properly) -- Mike Kalinovich On Fri, 10 Sep 2004 09:30:20 +0100, Dinis Cruz <dinis () ddplus net> wrote:
Some questions to help to understand your issue better - What do you mean by malware? What exactly have you found? - What do the other windows logs say? - Which ISAPI is that? - Is that ISAPI included in all your webservers? Dinis-----Original Message----- From: John Fisher [mailto:fisherjc () ameritech net] Sent: 09 September 2004 03:33 To: webappsec () securityfocus com Subject: Webserver problems It appears that one of our web servers was compromised, malware was found on the server. Taken from the event log, the event below suggests that a buffer overflow was their 1st attack. Has anyone else seen anything like this and am I right in thinking this suggests a buffer overflow. Thanks John Fisher Event Type: Error Event Source: WAM Event Category: None Event ID: 204 Date: 8/24/2004 Time: 2:12:26 PM User: N/A Computer: webserver1 Description: The HTTP server encountered an unhandled exception while processing the ISAPI Application ' sspifilt!TerminateFilter + 0x9C8 sspifilt!HttpFilterProc + 0x1FF w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR *,unsigned long,int) + 0x2006 w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR *,unsigned long,int) + 0x2BAB w3svc!HTTP_REQ_BASE::WriteFile(void *,unsigned long,unsigned long *,unsigned long) + 0x71 w3svc!_WamDictatorDumpInfo@8 + 0x2F8B wam + 0x8459 sasweb + 0x1A541 sasweb!HttpExtensionProc + 0x1E6A wam!DllCanUnloadNow + 0x636 wam!DllCanUnloadNow + 0x20C w3svc!HTTP_HEADERS::FindValue(char const *,unsigned long *) + 0xE2 w3svc!STR::Copy(char const *,unsigned long) + 0xC71 w3svc!STR::Copy(char const *,unsigned long) + 0xB49 w3svc!STR::Copy(char const *,unsigned long) + 0x9A2 w3svc!CLIENT_CONN::OnSessionStartup(int *,void *,unsigned long,int) + 0x642 w3svc!HTTP_HEADERS::Reset(void) + 0x1CA w3svc!STR::Copy(char const *,unsigned long) + 0x16EF ISATQ!CDirMonitor::RemoveEntry(class CDirMonitorEntry *) + 0x13A + 0x69FEF168 '. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.
Current thread:
- Using SSL private key for cookie's HMAC Simon Zuckerbraun (Aug 27)
- Re: Using SSL private key for cookie's HMAC Andrew Steingruebl (Sep 05)
- Re: Using SSL private key for cookie's HMAC Jeff Williams (Sep 05)
- Re: Using SSL private key for cookie's HMAC Adam Shostack (Sep 05)
- <Possible follow-ups>
- Re: Using SSL private key for cookie's HMAC Jason Coombs PivX Solutions (Sep 05)
- Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 06)
- Re: Using SSL private key for cookie's HMAC Jason Coombs PivX Solutions (Sep 07)
- Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 07)
- Webserver problems John Fisher (Sep 09)
- RE: Webserver problems Dinis Cruz (Sep 10)
- Re: Webserver problems Mike Kalinovich (Sep 11)
- Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 06)