RE: IIS 4.0 DOS attack?

From: Peter Johnson (pjohnson_at_techskills.com)
Date: 07/20/01

Douglas,

Been experiencing the same issue here on some public boxes...IISAdmin and
all dependent services just stop (NT4). No explanation and no anomalous log
entries. On another note - we've been experiencing a 'Chinese' hack on a
Win2k (fully patched) box that points us to worm.com. The file doesn't
exist on the hard drive - it's as if the page is entered into cache.

Any insights would be greatly appreciated...been happening like clockwork
here, too.

Peter

-----Original Message-----
From: Douglas R. Wilson [mailto:dallendoug_at_dallenhome.org]
Sent: Thursday, July 19, 2001 12:43 PM
To: focus-ms_at_SECURITYFOCUS.COM
Subject: IIS 4.0 DOS attack?

running into a frustrating situation, and wondering if anyone has seen
anything like this before --

we have 2 servers on our network that keep having their w3svc crash out
every few minutes, like clockwork. just started a few hours ago. No
strange updates/patches/etc made in the past day or so, servers have
been running for a while -- access to lots of clients and developers
though.

We have several admins working on this -- sifting through logs, etc. So
far, no real anomalies in HTTP logs (no requests with large or weird
packets -- but one server has so many logs, haven't been able to go
through all of them yet) -- but a lot of bogus FTP attempts detected
right before this started happening (ie logins from same IP w/ bogus
login/pass on both servers). This could be total coincidence, or
pre-strike probe.

I know this is not a lot of info -- we are still gathering and
monitoring -- just wondering if this rang a bell with anyone.

TIA,

doug 

--

Douglas R. Wilson

dallendoug_at_dallenhome.org

Relevant Pages

  • Re: User Auditing
    ... We have servers in our environment by which multiple people ... can issue commands as either themselves or as root. ... And the pam bit that logs keystrokes to auditd does log every keypress. ... Subject: User Auditing ...
    (RedHat)
  • Re: Bad news about Tor
    ... A "privacy service" would be ideal. ... Attack truly anonymous methods like Tor even though it ... keeps logs and lies about it, but got caught using them to track people ... Servers in the US are a lot safer that servers in most other places, ...
    (alt.privacy)
  • Re: system container in SMS 2003
    ... These logs don't show any AD publishing activity. ... "Publish servers in Active Directory" and subsequent log entries for ... >>> Then I went through and found the system management folder and didn't ...
    (microsoft.public.sms.setup)
  • RE: Event log counts...
    ... logs on 47 web servers and all logs on 6 domain controllers and we are ... Subject: Event log counts... ...
    (Security-Basics)
  • Re: Server loses network - bizzare behavior
    ... doing anything to the hardware on these servers. ... All errors, except id 12, states about connectivity to the domain DNS servers, ... see Help and Support Center at ... Then a few minutes later in the Application logs this error start ...
    (microsoft.public.windows.server.general)