IIS Server Security - xmlrpc.php causing system hang?

Author

xmlrpc.php causing system hang?

Mark Lordi

2005-11-14, 5:56 pm

Hello everyone! first time posting here. I have a Windows 2000 server
running iis 5. I am having this weird problem of late (started around
11/7/2005). I noticed in my event viewer under system that I have been
getting these timeout messages from a file called xmlrpc.php. Now the
weird thing is that this message is happening about every fifteen
minutes. The exact error message is:

The script started from the URL '/blog/xmlsrv/xmlrpc.php' with
parameters '' has not responded within the configured timeout period.
The HTTP server is terminating the script.
For additional information specific to this message please visit the
Microsoft Online Support site located at:
http://www.microsoft.com/contentredirect.asp.

The URL changes though to a few different locations.
Here are some:
blog/xmlrpc.php
blogs/xmlrpc.php
wordpress/xmlrpc.php
blog/xmlsrv/xmlrpc.php
blog/xmlsrv/xmlrpc.php

Now eventually my webserver seems to not be able to handle the timeout
sessions and then sometime overnight will eventually stop servering web

requests. It seems as though everything is running normally (services
and everything look fine.) But when you bring up the URL it comes up
with a DNS error. Now if I go and stop and restart the WWW publishing
service everything starts running fine again.

I have found some information about a virus called lupii or lupper.
This virus is targeted at Linux machines though.

So does anyone know of other things I can check to make sure I am
protected, or how to filter out these requests? I really need help
since this is just getting so bothersome now. Any help or ideas are
appreciated. Thank you very much for your time.

Mark

Bernard Cheah [MVP]

2005-11-15, 2:51 am

Well, look at the iis log file and see if the request reach IIS.
Next, this is the latest worm targeting on various php application... so
make sure you are patch
http://www.securityfocus.com/bid/14088

--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/

"Mark Lordi" <mlordi@gmail.com> wrote in message
news:1131981337.665453.118180@z14g2000cwz.googlegroups.com...
> Hello everyone! first time posting here. I have a Windows 2000 server
> running iis 5. I am having this weird problem of late (started around
> 11/7/2005). I noticed in my event viewer under system that I have been
> getting these timeout messages from a file called xmlrpc.php. Now the
> weird thing is that this message is happening about every fifteen
> minutes. The exact error message is:
>
>
> The script started from the URL '/blog/xmlsrv/xmlrpc.php' with
> parameters '' has not responded within the configured timeout period.
> The HTTP server is terminating the script.
> For additional information specific to this message please visit the
> Microsoft Online Support site located at:
> http://www.microsoft.com/contentredirect.asp.
>
>
> The URL changes though to a few different locations.
> Here are some:
> blog/xmlrpc.php
> blogs/xmlrpc.php
> wordpress/xmlrpc.php
> blog/xmlsrv/xmlrpc.php
> blog/xmlsrv/xmlrpc.php
>
>
> Now eventually my webserver seems to not be able to handle the timeout
> sessions and then sometime overnight will eventually stop servering web
>
> requests. It seems as though everything is running normally (services
> and everything look fine.) But when you bring up the URL it comes up
> with a DNS error. Now if I go and stop and restart the WWW publishing
> service everything starts running fine again.
>
>
> I have found some information about a virus called lupii or lupper.
> This virus is targeted at Linux machines though.
>
>
> So does anyone know of other things I can check to make sure I am
> protected, or how to filter out these requests? I really need help
> since this is just getting so bothersome now. Any help or ideas are
> appreciated. Thank you very much for your time.
>
>
> Mark
>