WebApp Sec mailing list archives
RE: Webserver problems
From: kquest () toplayer com
Date: Mon, 13 Sep 2004 13:06:15 -0400
It seems like we are dealing with an https request (that's why sspifilt is involved) to SAS, some web commerce IIS server extension I personally no nothing about (which extends IIS similar to the way PHP ISAPI module does). I'm not sure what that SAS IIS server extension is. It could be "SAS BI Web Services" or it could be something else. Does anybody have any idea how SAS fit in this picture? What version of IIS is it anyways? Kyle -----Original Message----- From: Mike Kalinovich [mailto:polaryzed () gmail com] Sent: Friday, September 10, 2004 10:42 AM To: webappsec () securityfocus com Subject: Re: Webserver problems The sspifilt is built in to all IIS servers. It's the isapi filter that controls SSL, and probably much more than I know right now. It also has quite a few exploits available for it. http://www.unital.com/research/ms_ssl_pct.pdf http://www.securityfocus.com/bid/10115 Windows logs are generally quite useless when it comes to tracking down specifics about who broke into what (most people who break in on purpose don't leave logs for you to find). I would highly recommend you image the drive first, rebuild the server (since once you're compromised, you have no idea what else has been installed or done to it), then install URLScan and fully patch your system. As well a software firewall like Sygate would definitely help protect. (or if you have hardware firewalls, get them tuned properly) -- Mike Kalinovich On Fri, 10 Sep 2004 09:30:20 +0100, Dinis Cruz <dinis () ddplus net> wrote:
Some questions to help to understand your issue better - What do you mean by malware? What exactly have you found? - What do the other windows logs say? - Which ISAPI is that? - Is that ISAPI included in all your webservers? Dinis-----Original Message----- From: John Fisher [mailto:fisherjc () ameritech net] Sent: 09 September 2004 03:33 To: webappsec () securityfocus com Subject: Webserver problems It appears that one of our web servers was compromised, malware was found on the server. Taken from the event log, the event below suggests that a buffer overflow was their 1st attack. Has anyone else seen anything like this and am I right in thinking this suggests a buffer overflow. Thanks John Fisher Event Type: Error Event Source: WAM Event Category: None Event ID: 204 Date: 8/24/2004 Time: 2:12:26 PM User: N/A Computer: webserver1 Description: The HTTP server encountered an unhandled exception while processing the ISAPI Application ' sspifilt!TerminateFilter + 0x9C8 sspifilt!HttpFilterProc + 0x1FF w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR *,unsigned long,int) + 0x2006 w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR *,unsigned long,int) + 0x2BAB w3svc!HTTP_REQ_BASE::WriteFile(void *,unsigned long,unsigned long *,unsigned long) + 0x71 w3svc!_WamDictatorDumpInfo@8 + 0x2F8B wam + 0x8459 sasweb + 0x1A541 sasweb!HttpExtensionProc + 0x1E6A wam!DllCanUnloadNow + 0x636 wam!DllCanUnloadNow + 0x20C w3svc!HTTP_HEADERS::FindValue(char const *,unsigned long *) + 0xE2 w3svc!STR::Copy(char const *,unsigned long) + 0xC71 w3svc!STR::Copy(char const *,unsigned long) + 0xB49 w3svc!STR::Copy(char const *,unsigned long) + 0x9A2 w3svc!CLIENT_CONN::OnSessionStartup(int *,void *,unsigned long,int) + 0x642 w3svc!HTTP_HEADERS::Reset(void) + 0x1CA w3svc!STR::Copy(char const *,unsigned long) + 0x16EF ISATQ!CDirMonitor::RemoveEntry(class CDirMonitorEntry *) + 0x13A + 0x69FEF168 '. For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.
Current thread:
- RE: Webserver problems kquest (Sep 13)
- <Possible follow-ups>
- RE: Webserver problems kquest (Sep 14)