We haven't seen it re-occuring. Apparently several sites were hit over the
weekend. We're also currently running a sniffer on the segment in addition
to the IDS (which missed this by the way). Also, this is assuming that it
is in actuality a DoS and not a strings of coincidences.

I'm not a firm believer in coincidence.

> -----Original Message-----
> From: Shoten [mailto:shotenstarpower.net]
> Sent: Monday, November 12, 2001 2:03 PM
> To: Keith.Morgan; 'Mike Shaw'; incidentssecurityfocus.com
> Subject: Re: IIS (Possible DoS floating around)
>
>
> Does the problem re-occur reliably, and if so, can you put a
> sniffer on the
> segment and catch the traffic at the time of the incident?
>
> ----- Original Message -----
> From: "Keith.Morgan" <Keith.MorganTerradon.com>
> To: "'Mike Shaw'" <mshawwwisp.com>; <incidentssecurityfocus.com>
> Sent: Monday, November 12, 2001 1:18 PM
> Subject: RE: IIS (Possible DoS floating around)
>
>
> > I've fully reviewed all event logs, webserver logs, IDS and
> firewall logs
> > for the day of the crash. I can't find a cause, only a
> symptom. Here is
> an
> > exerpt from the w3svc logs:
> >
> > 2001-11-10 15:41:27 remoteip - localip 80 GET /index.cfm
> > Out-of-process+ISAPI+extension+request+failed. 500 Mozilla/4.0+(c
> > ompatible;+MSIE+5.5;+AOL+6.0;+Windows+98;+Win+9x+4.90)
> >
> > At least in the incidents with which I'm familiar, at least
> the w3svc,
> > ftpsvc, and cold fusion are running on the machines. There was a
> *possible*
> > time co-incidence with an FTP connection that (according to the log
> entries)
> > dropped with an error.
> >
> >
> >
> > > -----Original Message-----
> > > From: Mike Shaw [mailto:mshawwwisp.com]
> > > Sent: Monday, November 12, 2001 1:03 PM
> > > To: Keith.Morgan; 'incidentssecurityfocus.com'
> > > Subject: Re: IIS (Possible DoS floating around)
> > >
> > >
> > > Any further info on system configurations? ISAPI
> mappings, installed
> > > software (perl, cold fusion...), running services?
> > >
> > > -Mike
> > >
> > > At 12:27 PM 11/12/2001 -0500, Keith.Morgan wrote:
> > > >The focus-ms list is hopping a little regarding some strange
> > > behaviour from
> > > >IIS.
> > > >
> > > >The symptoms:
> > > >IIS continues to run (or sometimes crashes), but the common
> > > thread is that
> > > >the port is closed.
> > > >
> > > >After recieving a report on focus-ms, and having this same
> > > behaviour occur
> > > >on one of our webservers, I contacted a friend who runs a
> > > (logically) nearby
> > > >network. He indicated that the same problem had occurred on
> > > some of thier
> > > >servers.
> > > >
> > > >I'm currently pouring over logs attempting to locate
> > > anything out of the
> > > >ordinary.
> > > >
> > > >Just a note for all those that will say "make sure you've
> > > applied patches or
> > > >run the hfnetchk:" Our servers are at completely current
> > > patch levels.
> > > >
> > > >
> > > >Keith T. Morgan
> > > >Chief of Information Security
> > > >Terradon Communications
> > > >keith.morganterradon.com
> > > >304-755-8291 x142
> > > >
> > > >
> > > >-------------------------------------------------------------
> > > ---------------
> > > >This list is provided by the SecurityFocus ARIS analyzer service.
> > > >For more information on this free incident handling, management
> > > >and tracking system please see: http://aris.securityfocus.com
> > >
> > >
> >
> >
> --------------------------------------------------------------
> ------------
> --
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]