|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Webserver problems
From: Dinis Cruz (dinis
ddplus.net)
Date: Fri Sep 10 2004 - 03:30:20 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Some questions to help to understand your issue better
- What do you mean by malware? What exactly have you found?
- What do the other windows logs say?
- Which ISAPI is that?
- Is that ISAPI included in all your webservers?
Dinis
> -----Original Message-----
> From: John Fisher [mailto:fisherjcameritech.net]
> Sent: 09 September 2004 03:33
> To: webappsecsecurityfocus.com
> Subject: Webserver problems
>
>
>
> It appears that one of our web servers was compromised, malware was
> found on the server. Taken from the event log, the event below suggests
> that a buffer overflow was their 1st attack. Has anyone else seen
> anything like this and am I right in thinking this suggests a buffer
> overflow.
>
> Thanks
>
> John Fisher
>
> Event Type: Error
> Event Source: WAM
> Event Category: None
> Event ID: 204
> Date: 8/24/2004
> Time: 2:12:26 PM
> User: N/A
> Computer: webserver1
> Description:
> The HTTP server encountered an unhandled exception while processing the
> ISAPI Application '
> sspifilt!TerminateFilter + 0x9C8
> sspifilt!HttpFilterProc + 0x1FF
> w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR
> *,unsigned long,int) + 0x2006
> w3svc!HTTP_REQ_BASE::BuildURLMovedResponse(class BUFFER *,class STR
> *,unsigned long,int) + 0x2BAB
> w3svc!HTTP_REQ_BASE::WriteFile(void *,unsigned long,unsigned long
> *,unsigned long) + 0x71
> w3svc!_WamDictatorDumpInfo8 + 0x2F8B
> wam + 0x8459
> sasweb + 0x1A541
> sasweb!HttpExtensionProc + 0x1E6A
> wam!DllCanUnloadNow + 0x636
> wam!DllCanUnloadNow + 0x20C
> w3svc!HTTP_HEADERS::FindValue(char const *,unsigned long *) + 0xE2
> w3svc!STR::Copy(char const *,unsigned long) + 0xC71
> w3svc!STR::Copy(char const *,unsigned long) + 0xB49
> w3svc!STR::Copy(char const *,unsigned long) + 0x9A2
> w3svc!CLIENT_CONN::OnSessionStartup(int *,void *,unsigned long,int) +
> 0x642
> w3svc!HTTP_HEADERS::Reset(void) + 0x1CA
> w3svc!STR::Copy(char const *,unsigned long) + 0x16EF
> ISATQ!CDirMonitor::RemoveEntry(class CDirMonitorEntry *) + 0x13A
> + 0x69FEF168
> '.
> For additional information specific to this message please visit the
> Microsoft Online Support site located at:
> http://www.microsoft.com/contentredirect.asp.
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]