RE: random IIS stops and restarts

From: dave kleiman (dave_at_netmedic.net)
Date: 10/10/03

  • Next message: Hagen, Eric: "RE: Security Universitites and Certifications" 
    To: "'Craig Janssen'" <cjanssen@mail.millikin.edu>, "'Security Basics Mailing List'" <SECURITY-BASICS@SECURITYFOCUS.COM>
Date: Thu, 9 Oct 2003 18:30:43 -0400

    Event ID 2 coupled with ID 1; often indicate the Code Red Worm or one of its
    variants.

    You will see 1 a restart command followed by 2 a stop command over and over
    again in the logs.

    I would do a check if you find no infestation then try disabling the
    auto-restart "IISRESET /DISABLE"

    If you are seeing events about some of the other IIS services terminating
    unexpectedly in the same time-frame, you probably are infected.

     
    _____________________
    Dave Kleiman
    secure@netmedic.net
    www.SecurityBreachResponse.com

    "High achievement always takes place in the framework of high expectation."
    Jack Kinder

     

    -----Original Message-----
    From: Craig Janssen [mailto:cjanssen@mail.millikin.edu]
    Sent: Thursday, October 09, 2003 10:24
    To: >
    Subject: random IIS stops and restarts

    This has been happening on one of my IIS web servers for a few days, and
    it just happened again on a second server yesterday. All the processes
    associated with IIS shutdown for a few seconds and then restarts by
    itself. A system Error event is logged for each IIS process as it is
    killed (i.e. W3SVC, SMTPSVC, FTPSVC), and an informational event is
    logged for the IIS shutdown:

    Date: 10/8/2003
    Time: 14:54
    Source: IISCTLS
    Category: None
    Event ID: 2
    IIS stop command received from user NT AUTHORITY\SYSTEM. The logged
    data is the status code.
    For additional information specific to this message please visit the
    Microsoft Online Support site located at:
    http://www.microsoft.com/contentredirect.asp.

    and another as it restarts:

    Date: 10/8/2003
    Time:14:54
    Source: IISCTLS
    Category: None
    Event ID: 1
    IIS start command received from user NT AUTHORITY\SYSTEM. The logged
    data is the status code.
    For additional information specific to this message please visit the
    Microsoft Online Support site located at:
    http://www.microsoft.com/contentredirect.asp.

    Also, I'm not sure if it's related or not, but there was a transaction
    logged in the W3SVC log right before the service shutdown and restarted.
     I couldn't find anything else unusual in any of the other website logs
    for the time period:

    2003-10-08 19:54:10 <source IP> - <destination IP> 80 POST
    /scripts/nsiislog.dll Out-of-process+ISAPI+extension+request+failed. 503
    NSPlayer/4.1.0.3917
    2003-10-08 19:54:10 <source IP> - <destination IP> 80 POST
    /scripts/nsiislog.dll Out-of-process+ISAPI+extension+request+failed. 503
    NSPlayer/4.1.0.3917

    I've googled, checked EventID.net, and Microsoft's knowledgebase. All
    I could find regarding the nsiislog.dll incident was an old exploit
    posted to Neohapsis back in May for MS03-019 regarding Windows Media
    services, which I don't even have installed on the server, so I don't
    think it's related. Any ideas? Do I have a possible intruder or
    malicious code on the server, or is it just recovering from an external
    IIS attack?

    I'm running Win2k server SP3 with all the latest MS security patches
    applied and NAI VirusScan Enterprise 7 with the latest DAT's. It's not
    causing any detrimental effects to our website, as the IIS process only
    goes down for a matter of seconds, but any insight would be greatly
    appreciated!

    Thanks,

    Craig

    ______________________________
    Craig Janssen, MCP, A+
    Network and Internet Services Manager
    Millikin University Information Technology Dept
    (217) 362-6488
    cjanssen@mail.millikin.edu

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Hagen, Eric: "RE: Security Universitites and Certifications"

    Relevant Pages

    • Re: Restart Application pool with commandline ??
      ... Yes, the commandline command exists, but no, I'm not going to tell you ... If you do not want the feature (i.e. you want IIS to keep restarting the ... Pool on its own. ... Be aware that this simply masks a problem that still exists on your server. ...
      (microsoft.public.inetserver.iis)
    • RE: Server Failed to Load - and more newbie questions
      ... It sounds like your IIS COM+ packages may be missing. ... Open a command prompt, and then use the following command to switch ... 314978 How to use Adminpak.msi to install a specific server administration ...
      (microsoft.public.inetserver.iis)
    • Re: Why server reverts to 2000 FPSE?
      ... Don't know why you insist on using the command line approach when extending of the FP SE is done directly in IIS per my ... (but can't test any server side controls like the FP SE or use a DB in a DBW) ...
      (microsoft.public.frontpage.extensions.windowsnt)
    • Re: Executing a locally installed program in IIS 6
      ... IIS 6.0 on Windows Server 2003." ... zipcode.exe on the server, and the web page formats the ... So basically zipcode.exe a command line tool that returns ... This tool works in my existing IIS 5 web site application ...
      (microsoft.public.inetserver.misc)
    • random IIS stops and restarts
      ... it just happened again on a second server yesterday. ... associated with IIS shutdown for a few seconds and then restarts by ...
      (Security-Basics)