WebApp Sec mailing list archives

RE: Webserver problems

From: "Dinis Cruz" <dinis () ddplus net>
Date: Fri, 10 Sep 2004 09:30:20 +0100

Some questions to help to understand your issue better

- What do you mean by malware? What exactly have you found?
- What do the other windows logs say?
- Which ISAPI is that?
- Is that ISAPI included in all your webservers?

Dinis

-----Original Message-----
From: John Fisher [mailto:fisherjc () ameritech net]
Sent: 09 September 2004 03:33
To: webappsec () securityfocus com
Subject: Webserver problems



It appears that one of our web servers was compromised, malware was
found on the server. Taken from the event log, the event below suggests
that a buffer overflow was their 1st attack. Has anyone else seen
anything like this and am I right in thinking this suggests a buffer
overflow.

Thanks

John Fisher

Event Type:   Error
Event Source: WAM
Event Category:       None
Event ID:     204
Date:         8/24/2004
Time:         2:12:26 PM
User:         N/A
Computer:     webserver1
Description:
The HTTP server encountered an unhandled exception while processing the
ISAPI Application '
sspifilt!TerminateFilter + 0x9C8
sspifilt!HttpFilterProc + 0x1FF
w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR
*,unsigned long,int) + 0x2006
w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR
*,unsigned long,int) + 0x2BAB
w3svc!HTTP_REQ_BASE::WriteFile(void *,unsigned long,unsigned long
*,unsigned long) + 0x71
w3svc!_WamDictatorDumpInfo@8 + 0x2F8B
wam + 0x8459
sasweb + 0x1A541
sasweb!HttpExtensionProc + 0x1E6A
wam!DllCanUnloadNow + 0x636
wam!DllCanUnloadNow + 0x20C
w3svc!HTTP_HEADERS::FindValue(char const *,unsigned long *) + 0xE2
w3svc!STR::Copy(char const *,unsigned long) + 0xC71
w3svc!STR::Copy(char const *,unsigned long) + 0xB49
w3svc!STR::Copy(char const *,unsigned long) + 0x9A2
w3svc!CLIENT_CONN::OnSessionStartup(int *,void *,unsigned long,int) +
0x642
w3svc!HTTP_HEADERS::Reset(void) + 0x1CA
w3svc!STR::Copy(char const *,unsigned long) + 0x16EF
ISATQ!CDirMonitor::RemoveEntry(class CDirMonitorEntry *) + 0x13A
 + 0x69FEF168
'.
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.

Current thread:

Using SSL private key for cookie's HMAC Simon Zuckerbraun (Aug 27)
- Re: Using SSL private key for cookie's HMAC Andrew Steingruebl (Sep 05)
- Re: Using SSL private key for cookie's HMAC Jeff Williams (Sep 05)
  - Re: Using SSL private key for cookie's HMAC Adam Shostack (Sep 05)
- <Possible follow-ups>
- Re: Using SSL private key for cookie's HMAC Jason Coombs PivX Solutions (Sep 05)
  - Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 06)
    - Re: Using SSL private key for cookie's HMAC Jason Coombs PivX Solutions (Sep 07)
    - Re: Using SSL private key for cookie's HMAC Peter Conrad (Sep 07)
    - Webserver problems John Fisher (Sep 09)
    - RE: Webserver problems Dinis Cruz (Sep 10)
    - Re: Webserver problems Mike Kalinovich (Sep 11)
- RE: Using SSL private key for cookie's HMAC Michael Silk (Sep 05)