OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Shoten (shotenstarpower.net)
Date: Mon Nov 12 2001 - 13:02:46 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Does the problem re-occur reliably, and if so, can you put a sniffer on the
    segment and catch the traffic at the time of the incident?

    ----- Original Message -----
    From: "Keith.Morgan" <Keith.MorganTerradon.com>
    To: "'Mike Shaw'" <mshawwwisp.com>; <incidentssecurityfocus.com>
    Sent: Monday, November 12, 2001 1:18 PM
    Subject: RE: IIS (Possible DoS floating around)

    > I've fully reviewed all event logs, webserver logs, IDS and firewall logs
    > for the day of the crash. I can't find a cause, only a symptom. Here is
    an
    > exerpt from the w3svc logs:
    >
    > 2001-11-10 15:41:27 remoteip - localip 80 GET /index.cfm
    > Out-of-process+ISAPI+extension+request+failed. 500 Mozilla/4.0+(c
    > ompatible;+MSIE+5.5;+AOL+6.0;+Windows+98;+Win+9x+4.90)
    >
    > At least in the incidents with which I'm familiar, at least the w3svc,
    > ftpsvc, and cold fusion are running on the machines. There was a
    *possible*
    > time co-incidence with an FTP connection that (according to the log
    entries)
    > dropped with an error.
    >
    >
    >
    > > -----Original Message-----
    > > From: Mike Shaw [mailto:mshawwwisp.com]
    > > Sent: Monday, November 12, 2001 1:03 PM
    > > To: Keith.Morgan; 'incidentssecurityfocus.com'
    > > Subject: Re: IIS (Possible DoS floating around)
    > >
    > >
    > > Any further info on system configurations? ISAPI mappings, installed
    > > software (perl, cold fusion...), running services?
    > >
    > > -Mike
    > >
    > > At 12:27 PM 11/12/2001 -0500, Keith.Morgan wrote:
    > > >The focus-ms list is hopping a little regarding some strange
    > > behaviour from
    > > >IIS.
    > > >
    > > >The symptoms:
    > > >IIS continues to run (or sometimes crashes), but the common
    > > thread is that
    > > >the port is closed.
    > > >
    > > >After recieving a report on focus-ms, and having this same
    > > behaviour occur
    > > >on one of our webservers, I contacted a friend who runs a
    > > (logically) nearby
    > > >network. He indicated that the same problem had occurred on
    > > some of thier
    > > >servers.
    > > >
    > > >I'm currently pouring over logs attempting to locate
    > > anything out of the
    > > >ordinary.
    > > >
    > > >Just a note for all those that will say "make sure you've
    > > applied patches or
    > > >run the hfnetchk:" Our servers are at completely current
    > > patch levels.
    > > >
    > > >
    > > >Keith T. Morgan
    > > >Chief of Information Security
    > > >Terradon Communications
    > > >keith.morganterradon.com
    > > >304-755-8291 x142
    > > >
    > > >
    > > >-------------------------------------------------------------
    > > ---------------
    > > >This list is provided by the SecurityFocus ARIS analyzer service.
    > > >For more information on this free incident handling, management
    > > >and tracking system please see: http://aris.securityfocus.com
    > >
    > >
    >
    > -------------------------------------------------------------------------- 

    --
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com