Security Incidents mailing list archives
Re: IIS (Possible DoS floating around)
From: "Ezequiel Diaz-Pacheco" <tempo () stec com ar>
Date: Mon, 12 Nov 2001 18:58:55 -0300
I have the same problem (two times with 6hs. of difference) described in the last saturday 11/nov. In my logs i can see this: 2001-11-11 02:02:52 148.233.179.134 xx.xx.xx.xx (my ip) GET /privacy.asp |-|ASP_0115|Unexpected_error 200 0 280 also, in the event viewer (i log the asp errors) i have this entries at the moment: "Error: File /default.asp Unexpected error " After the problem, i reboot the box and the problem not come again. ---- Ezequiel Diaz-Pacheco alienduce () stec com ar ----- Original Message ----- From: "Shoten" <shoten () starpower net> To: "Keith.Morgan" <Keith.Morgan () Terradon com>; "'Mike Shaw'" <mshaw () wwisp com>; <incidents () securityfocus com> Sent: Monday, November 12, 2001 16:02 Subject: Re: IIS (Possible DoS floating around)
Does the problem re-occur reliably, and if so, can you put a sniffer on
the
segment and catch the traffic at the time of the incident? ----- Original Message ----- From: "Keith.Morgan" <Keith.Morgan () Terradon com> To: "'Mike Shaw'" <mshaw () wwisp com>; <incidents () securityfocus com> Sent: Monday, November 12, 2001 1:18 PM Subject: RE: IIS (Possible DoS floating around)I've fully reviewed all event logs, webserver logs, IDS and firewall
logs
for the day of the crash. I can't find a cause, only a symptom. Here
is
anexerpt from the w3svc logs: 2001-11-10 15:41:27 remoteip - localip 80 GET /index.cfm Out-of-process+ISAPI+extension+request+failed. 500 Mozilla/4.0+(c ompatible;+MSIE+5.5;+AOL+6.0;+Windows+98;+Win+9x+4.90) At least in the incidents with which I'm familiar, at least the w3svc, ftpsvc, and cold fusion are running on the machines. There was a*possible*time co-incidence with an FTP connection that (according to the logentries)dropped with an error.-----Original Message----- From: Mike Shaw [mailto:mshaw () wwisp com] Sent: Monday, November 12, 2001 1:03 PM To: Keith.Morgan; 'incidents () securityfocus com' Subject: Re: IIS (Possible DoS floating around) Any further info on system configurations? ISAPI mappings, installed software (perl, cold fusion...), running services? -Mike At 12:27 PM 11/12/2001 -0500, Keith.Morgan wrote:The focus-ms list is hopping a little regarding some strangebehaviour fromIIS. The symptoms: IIS continues to run (or sometimes crashes), but the commonthread is thatthe port is closed. After recieving a report on focus-ms, and having this samebehaviour occuron one of our webservers, I contacted a friend who runs a(logically) nearbynetwork. He indicated that the same problem had occurred onsome of thierservers. I'm currently pouring over logs attempting to locateanything out of theordinary. Just a note for all those that will say "make sure you'veapplied patches orrun the hfnetchk:" Our servers are at completely currentpatch levels.Keith T. Morgan Chief of Information Security Terradon Communications keith.morgan () terradon com 304-755-8291 x142 ----------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com-------------------------------------------------------------------------- --This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- IIS (Possible DoS floating around) Keith.Morgan (Nov 12)
- Re: IIS (Possible DoS floating around) Mike Shaw (Nov 12)
- <Possible follow-ups>
- RE: IIS (Possible DoS floating around) Keith.Morgan (Nov 12)
- Re: IIS (Possible DoS floating around) Shoten (Nov 12)
- Re: IIS (Possible DoS floating around) Ezequiel Diaz-Pacheco (Nov 12)
- Re: IIS (Possible DoS floating around) Shoten (Nov 12)
- RE: IIS (Possible DoS floating around) Keith.Morgan (Nov 12)