Re: Webserver problems

[Mike Kalinovich <polaryzed () gmail com>]

The sspifilt is built in to all IIS servers.  It's the isapi filter
that controls SSL, and probably much more than I know right now.  It
also has quite a few exploits available for it.

http://www.unital.com/research/ms_ssl_pct.pdf

http://www.securityfocus.com/bid/10115

Windows logs are generally quite useless when it comes to tracking
down specifics about who broke into what (most people who break in on
purpose don't leave logs for you to find).

I would highly recommend you image the drive first, rebuild the server
(since once you're compromised, you have no idea what else has been
installed or done to it), then install URLScan and fully patch your
system.  As well a software firewall like Sygate would definitely help
protect.  (or if you have hardware firewalls, get them tuned properly)

--
Mike Kalinovich



On Fri, 10 Sep 2004 09:30:20 +0100, Dinis Cruz <dinis () ddplus net> wrote:
> Some questions to help to understand your issue better
>
> - What do you mean by malware? What exactly have you found?
> - What do the other windows logs say?
> - Which ISAPI is that?
> - Is that ISAPI included in all your webservers?
>
> Dinis
>
> > -----Original Message-----
> > From: John Fisher [mailto:fisherjc () ameritech net]
> > Sent: 09 September 2004 03:33
> > To: webappsec () securityfocus com
> > Subject: Webserver problems
> >
> >
> >
> > It appears that one of our web servers was compromised, malware was
> > found on the server. Taken from the event log, the event below suggests
> > that a buffer overflow was their 1st attack. Has anyone else seen
> > anything like this and am I right in thinking this suggests a buffer
> > overflow.
> >
> > Thanks
> >
> > John Fisher
> >
> > Event Type:   Error
> > Event Source: WAM
> > Event Category:       None
> > Event ID:     204
> > Date:         8/24/2004
> > Time:         2:12:26 PM
> > User:         N/A
> > Computer:     webserver1
> > Description:
> > The HTTP server encountered an unhandled exception while processing the
> > ISAPI Application '
> > sspifilt!TerminateFilter + 0x9C8
> > sspifilt!HttpFilterProc + 0x1FF
> > w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR
> > *,unsigned long,int) + 0x2006
> > w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR
> > *,unsigned long,int) + 0x2BAB
> > w3svc!HTTP_REQ_BASE::WriteFile(void *,unsigned long,unsigned long
> > *,unsigned long) + 0x71
> > w3svc!_WamDictatorDumpInfo@8 + 0x2F8B
> > wam + 0x8459
> > sasweb + 0x1A541
> > sasweb!HttpExtensionProc + 0x1E6A
> > wam!DllCanUnloadNow + 0x636
> > wam!DllCanUnloadNow + 0x20C
> > w3svc!HTTP_HEADERS::FindValue(char const *,unsigned long *) + 0xE2
> > w3svc!STR::Copy(char const *,unsigned long) + 0xC71
> > w3svc!STR::Copy(char const *,unsigned long) + 0xB49
> > w3svc!STR::Copy(char const *,unsigned long) + 0x9A2
> > w3svc!CLIENT_CONN::OnSessionStartup(int *,void *,unsigned long,int) +
> > 0x642
> > w3svc!HTTP_HEADERS::Reset(void) + 0x1CA
> > w3svc!STR::Copy(char const *,unsigned long) + 0x16EF
> > ISATQ!CDirMonitor::RemoveEntry(class CDirMonitorEntry *) + 0x13A
> >  + 0x69FEF168
> > '.
> > For additional information specific to this message please visit the
> > Microsoft Online Support site located at:
> > http://www.microsoft.com/contentredirect.asp.