WebApp Sec mailing list archives
RE: Webserver problems
From: "Dinis Cruz" <dinis () ddplus net>
Date: Fri, 10 Sep 2004 09:30:20 +0100
Some questions to help to understand your issue better - What do you mean by malware? What exactly have you found? - What do the other windows logs say? - Which ISAPI is that? - Is that ISAPI included in all your webservers? Dinis
-----Original Message----- From: John Fisher [mailto:fisherjc () ameritech net] Sent: 09 September 2004 03:33 To: webappsec () securityfocus com Subject: Webserver problems It appears that one of our web servers was compromised, malware was found on the server. Taken from the event log, the event below suggests that a buffer overflow was their 1st attack. Has anyone else seen anything like this and am I right in thinking this suggests a buffer overflow. Thanks John Fisher Event Type: Error Event Source: WAM Event Category: None Event ID: 204 Date: 8/24/2004 Time: 2:12:26 PM User: N/A Computer: webserver1 Description: The HTTP server encountered an unhandled exception while processing the ISAPI Application ' sspifilt!TerminateFilter + 0x9C8 sspifilt!HttpFilterProc + 0x1FF w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR *,unsigned long,int) + 0x2006 w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR *,unsigned long,int) + 0x2BAB w3svc!HTTP_REQ_BASE::WriteFile(void *,unsigned long,unsigned long *,unsigned long) + 0x71 w3svc!_WamDictatorDumpInfo@8 + 0x2F8B wam + 0x8459 sasweb + 0x1A541 sasweb!HttpExtensionProc + 0x1E6A wam!DllCanUnloadNow + 0x636 wam!DllCanUnloadNow + 0x20C w3svc!HTTP_HEADERS::FindValue(char const *,unsigned long *) + 0xE2 w3svc!STR::Copy(char const *,unsigned long) + 0xC71 w3svc!STR::Copy(char const *,unsigned long) + 0xB49 w3svc!STR::Copy(char const *,unsigned long) + 0x9A2 w3svc!CLIENT_CONN::OnSessionStartup(int *,void *,unsigned long,int) + 0x642 w3svc!HTTP_HEADERS::Reset(void) + 0x1CA w3svc!STR::Copy(char const *,unsigned long) + 0x16EF ISATQ!CDirMonitor::RemoveEntry(class CDirMonitorEntry *) + 0x13A + 0x69FEF168 '. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.
Current thread:
- Using SSL private key for cookie's HMAC Simon Zuckerbraun (Aug 27)
- Re: Using SSL private key for cookie's HMAC Andrew Steingruebl (Sep 05)
- Re: Using SSL private key for cookie's HMAC Jeff Williams (Sep 05)
- Re: Using SSL private key for cookie's HMAC Adam Shostack (Sep 05)
- <Possible follow-ups>
- Re: Using SSL private key for cookie's HMAC Jason Coombs PivX Solutions (Sep 05)
- Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 06)
- Re: Using SSL private key for cookie's HMAC Jason Coombs PivX Solutions (Sep 07)
- Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 07)
- Webserver problems John Fisher (Sep 09)
- RE: Webserver problems Dinis Cruz (Sep 10)
- Re: Webserver problems Mike Kalinovich (Sep 11)
- Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 06)