Security Basics mailing list archives
random IIS stops and restarts
From: "Craig Janssen" <cjanssen () mail millikin edu>
Date: Thu, 09 Oct 2003 09:24:19 -0500
This has been happening on one of my IIS web servers for a few days, and it just happened again on a second server yesterday. All the processes associated with IIS shutdown for a few seconds and then restarts by itself. A system Error event is logged for each IIS process as it is killed (i.e. W3SVC, SMTPSVC, FTPSVC), and an informational event is logged for the IIS shutdown: Date: 10/8/2003 Time: 14:54 Source: IISCTLS Category: None Event ID: 2 IIS stop command received from user NT AUTHORITY\SYSTEM. The logged data is the status code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. and another as it restarts: Date: 10/8/2003 Time:14:54 Source: IISCTLS Category: None Event ID: 1 IIS start command received from user NT AUTHORITY\SYSTEM. The logged data is the status code. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp. Also, I'm not sure if it's related or not, but there was a transaction logged in the W3SVC log right before the service shutdown and restarted. I couldn't find anything else unusual in any of the other website logs for the time period: 2003-10-08 19:54:10 <source IP> - <destination IP> 80 POST /scripts/nsiislog.dll Out-of-process+ISAPI+extension+request+failed. 503 NSPlayer/4.1.0.3917 2003-10-08 19:54:10 <source IP> - <destination IP> 80 POST /scripts/nsiislog.dll Out-of-process+ISAPI+extension+request+failed. 503 NSPlayer/4.1.0.3917 I've googled, checked EventID.net, and Microsoft's knowledgebase. All I could find regarding the nsiislog.dll incident was an old exploit posted to Neohapsis back in May for MS03-019 regarding Windows Media services, which I don't even have installed on the server, so I don't think it's related. Any ideas? Do I have a possible intruder or malicious code on the server, or is it just recovering from an external IIS attack? I'm running Win2k server SP3 with all the latest MS security patches applied and NAI VirusScan Enterprise 7 with the latest DAT's. It's not causing any detrimental effects to our website, as the IIS process only goes down for a matter of seconds, but any insight would be greatly appreciated! Thanks, Craig ______________________________ Craig Janssen, MCP, A+ Network and Internet Services Manager Millikin University Information Technology Dept (217) 362-6488 cjanssen () mail millikin edu --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- random IIS stops and restarts Craig Janssen (Oct 09)
- RE: random IIS stops and restarts dave kleiman (Oct 09)
- Re: random IIS stops and restarts Karma (Oct 09)