Re: Suspicious URLScan.log
From: cathal connolly (cathal@isoli.co.uk)Date: 09/12/02
- Previous message: Tosh, Michael J (N-Joule): "RE: Windows XP file deletion"
- In reply to: Michael Pruss: "Suspicious URLScan.log"
- Next in thread: Michael Pruß: "AW: Suspicious URLScan.log"
- Reply: Michael Pruß: "AW: Suspicious URLScan.log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "cathal connolly" <cathal@isoli.co.uk> To: "Michael Pruss" <pruss@wissner.com>, <focus-ms@securityfocus.com> Date: Wed, 11 Sep 2002 23:51:45 +0100
I could be wrong, but that looks suspiciously like IIS restarts. Urlscan is
only an ISAPI filter that runs at the machine level under IIS, and as such
only writes initializing logs after the filter is loaded into IIS. If you're
running w2k/iis5 then by default the IIS admin service is set to restart
(check the recovery tab under services - >IIS admin service). Possibly your
application/hardening process is causing IIS to fail and restart, causing
the odd logs.
Ensure none of your web applications are running as LOW as this runs within
the context of IIS. I would suggest temporarily disabling the recovery
actions or alternatively pointing them at a batch file to log any failures,
and running your web applications as high (isolated).
----- Original Message -----
From: "Michael Pruss" <pruss@wissner.com>
To: <focus-ms@securityfocus.com>
Sent: Tuesday, September 10, 2002 8:43 AM
Subject: Suspicious URLScan.log
>
>
> I use URLScan on a IIS 5. I found some strange behaviour in the Logfile of
> URLScan. There are several startup-messages in a short interval but at
> that time the server has not been restarted.
>
> [09-05-2002 - 21:39:32] ---------------- Initializing
> UrlScan.log ----------------
> [09-05-2002 - 21:39:32] -- Filter initialization time: [09-
> 05-2002 - 21:39:32] --
> [09-05-2002 - 21:39:32] ---------------- UrlScan.dll
> Initializing ----------------
>
> ....
>
> [09-05-2002 - 21:44:12] ---------------- Initializing
> UrlScan.log ----------------
> [09-05-2002 - 21:44:12] -- Filter initialization time: [09-
> 05-2002 - 21:44:12] --
> [09-05-2002 - 21:44:12] ---------------- UrlScan.dll
> Initializing ----------------
>
> ....
>
> [09-05-2002 - 21:44:19] ---------------- Initializing
> UrlScan.log ----------------
> [09-05-2002 - 21:44:19] -- Filter initialization time: [09-
> 05-2002 - 21:44:19] --
> [09-05-2002 - 21:44:19] ---------------- UrlScan.dll
> Initializing ----------------
>
> Can somebody tell me if the URLScan tool does an automatic restart in some
> cases or if there is trouble ahead and somebody found a vulnerability in
> that tool. The server has been killed shortly before that. After i
> hardened the system this strange behavior occured but the server is still
> alive.
>
> Thanks
> Michael
>
- Previous message: Tosh, Michael J (N-Joule): "RE: Windows XP file deletion"
- In reply to: Michael Pruss: "Suspicious URLScan.log"
- Next in thread: Michael Pruß: "AW: Suspicious URLScan.log"
- Reply: Michael Pruß: "AW: Suspicious URLScan.log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
