random IIS stops and restarts

["Craig Janssen" <cjanssen () mail millikin edu>]

This has been happening on one of my IIS web servers for a few days, and
it just happened again on a second server yesterday.  All the processes
associated with IIS shutdown for a few seconds and then restarts by
itself.  A system Error event is logged for each IIS process as it is
killed (i.e. W3SVC, SMTPSVC, FTPSVC), and an informational event is
logged for the IIS shutdown:

Date: 10/8/2003
Time: 14:54
Source: IISCTLS
Category: None
Event ID: 2
IIS stop command received from user NT AUTHORITY\SYSTEM. The logged
data is the status code. 
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp. 

and another as it restarts:

Date: 10/8/2003
Time:14:54
Source: IISCTLS
Category: None
Event ID: 1
IIS start command received from user NT AUTHORITY\SYSTEM. The logged
data is the status code. 
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp. 

Also, I'm not sure if it's related or not, but there was a transaction
logged in the W3SVC log right before the service shutdown and restarted.
 I couldn't find anything else unusual in any of the other website logs
for the time period:

2003-10-08 19:54:10 <source IP> - <destination IP> 80 POST
/scripts/nsiislog.dll Out-of-process+ISAPI+extension+request+failed. 503
NSPlayer/4.1.0.3917
2003-10-08 19:54:10 <source IP> - <destination IP> 80 POST
/scripts/nsiislog.dll Out-of-process+ISAPI+extension+request+failed. 503
NSPlayer/4.1.0.3917

I've googled, checked EventID.net, and Microsoft's knowledgebase.  All
I could find regarding the nsiislog.dll incident was an old exploit
posted to Neohapsis back in May for MS03-019 regarding Windows Media
services, which I don't even have installed on the server, so I don't
think it's related.  Any ideas?  Do I have a possible intruder or
malicious code on the server, or is it just recovering from an external
IIS attack?

I'm running Win2k server SP3 with all the latest MS security patches
applied and NAI VirusScan Enterprise 7 with the latest DAT's.  It's not
causing any detrimental effects to our website, as the IIS process only
goes down for a matter of seconds, but any insight would be greatly
appreciated!

Thanks,

Craig



______________________________
Craig Janssen, MCP, A+
Network and Internet Services Manager
Millikin University Information Technology Dept
(217) 362-6488
cjanssen () mail millikin edu

---------------------------------------------------------------------------
----------------------------------------------------------------------------