RE: random IIS stops and restarts

["dave kleiman" <dave () netmedic net>]

Event ID 2 coupled with ID 1; often indicate the Code Red Worm or one of its
variants. 

You will see 1 a restart command followed by 2 a stop command over and over
again in the logs.

I would do a check if you find no infestation then try disabling the
auto-restart "IISRESET /DISABLE"

If you are seeing events about some of the other IIS services terminating
unexpectedly in the same time-frame, you probably are infected.


 
_____________________
Dave Kleiman
secure () netmedic net
www.SecurityBreachResponse.com

"High achievement always takes place in the framework of high expectation."
Jack Kinder

 


-----Original Message-----
From: Craig Janssen [mailto:cjanssen () mail millikin edu] 
Sent: Thursday, October 09, 2003 10:24
To: >
Subject: random IIS stops and restarts

This has been happening on one of my IIS web servers for a few days, and
it just happened again on a second server yesterday.  All the processes
associated with IIS shutdown for a few seconds and then restarts by
itself.  A system Error event is logged for each IIS process as it is
killed (i.e. W3SVC, SMTPSVC, FTPSVC), and an informational event is
logged for the IIS shutdown:

Date: 10/8/2003
Time: 14:54
Source: IISCTLS
Category: None
Event ID: 2
IIS stop command received from user NT AUTHORITY\SYSTEM. The logged
data is the status code. 
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp. 

and another as it restarts:

Date: 10/8/2003
Time:14:54
Source: IISCTLS
Category: None
Event ID: 1
IIS start command received from user NT AUTHORITY\SYSTEM. The logged
data is the status code. 
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp. 

Also, I'm not sure if it's related or not, but there was a transaction
logged in the W3SVC log right before the service shutdown and restarted.
 I couldn't find anything else unusual in any of the other website logs
for the time period:

2003-10-08 19:54:10 <source IP> - <destination IP> 80 POST
/scripts/nsiislog.dll Out-of-process+ISAPI+extension+request+failed. 503
NSPlayer/4.1.0.3917
2003-10-08 19:54:10 <source IP> - <destination IP> 80 POST
/scripts/nsiislog.dll Out-of-process+ISAPI+extension+request+failed. 503
NSPlayer/4.1.0.3917

I've googled, checked EventID.net, and Microsoft's knowledgebase.  All
I could find regarding the nsiislog.dll incident was an old exploit
posted to Neohapsis back in May for MS03-019 regarding Windows Media
services, which I don't even have installed on the server, so I don't
think it's related.  Any ideas?  Do I have a possible intruder or
malicious code on the server, or is it just recovering from an external
IIS attack?

I'm running Win2k server SP3 with all the latest MS security patches
applied and NAI VirusScan Enterprise 7 with the latest DAT's.  It's not
causing any detrimental effects to our website, as the IIS process only
goes down for a matter of seconds, but any insight would be greatly
appreciated!

Thanks,

Craig



______________________________
Craig Janssen, MCP, A+
Network and Internet Services Manager
Millikin University Information Technology Dept
(217) 362-6488
cjanssen () mail millikin edu

---------------------------------------------------------------------------
----------------------------------------------------------------------------





---------------------------------------------------------------------------
----------------------------------------------------------------------------