AW: Suspicious URLScan.log

From: Michael Pruß (pruss@wissner.com)
Date: 09/13/02 

From: Michael Pruß <pruss@wissner.com>
To: "'cathal connolly'" <cathal@isoli.co.uk>, <focus-ms@securityfocus.com>
Date: Fri, 13 Sep 2002 14:45:43 +0200

The last 3 days this phenomenon did not appear again.
So i think it is not a problem of an error restart or something like
this.
I will watch the whole thing and will report if there is something going
on that might concern everybody.

Thanks
Michael

-----Ursprüngliche Nachricht-----
Von: cathal connolly [mailto:cathal@isoli.co.uk]
Gesendet: Donnerstag, 12. September 2002 00:52
An: Michael Pruss; focus-ms@securityfocus.com
Betreff: Re: Suspicious URLScan.log

I could be wrong, but that looks suspiciously like IIS restarts. Urlscan
is only an ISAPI filter that runs at the machine level under IIS, and as
such only writes initializing logs after the filter is loaded into IIS.
If you're running w2k/iis5 then by default the IIS admin service is set
to restart (check the recovery tab under services - >IIS admin service).
Possibly your application/hardening process is causing IIS to fail and
restart, causing the odd logs.

Ensure none of your web applications are running as LOW as this runs
within the context of IIS. I would suggest temporarily disabling the
recovery actions or alternatively pointing them at a batch file to log
any failures, and running your web applications as high (isolated).

----- Original Message -----
From: "Michael Pruss" <pruss@wissner.com>
To: <focus-ms@securityfocus.com>
Sent: Tuesday, September 10, 2002 8:43 AM
Subject: Suspicious URLScan.log

>
>
> I use URLScan on a IIS 5. I found some strange behaviour in the
> Logfile of URLScan. There are several startup-messages in a short
> interval but at that time the server has not been restarted.
>
> [09-05-2002 - 21:39:32] ---------------- Initializing UrlScan.log
> ---------------- [09-05-2002 - 21:39:32] -- Filter initialization
> time: [09- 05-2002 - 21:39:32] --
> [09-05-2002 - 21:39:32] ---------------- UrlScan.dll
> Initializing ----------------
>
> ....
>
> [09-05-2002 - 21:44:12] ---------------- Initializing UrlScan.log
> ---------------- [09-05-2002 - 21:44:12] -- Filter initialization
> time: [09- 05-2002 - 21:44:12] --
> [09-05-2002 - 21:44:12] ---------------- UrlScan.dll
> Initializing ----------------
>
> ....
>
> [09-05-2002 - 21:44:19] ---------------- Initializing UrlScan.log
> ---------------- [09-05-2002 - 21:44:19] -- Filter initialization
> time: [09- 05-2002 - 21:44:19] --
> [09-05-2002 - 21:44:19] ---------------- UrlScan.dll
> Initializing ----------------
>
> Can somebody tell me if the URLScan tool does an automatic restart in
> some cases or if there is trouble ahead and somebody found a
> vulnerability in that tool. The server has been killed shortly before
> that. After i hardened the system this strange behavior occured but
> the server is still alive.
>
> Thanks
> Michael
>

Quantcast