IIS Index Server - Dr Watson on IIS 4.0

This is Interesting: Free IT Magazines  
Home > Archive > IIS Index Server > April 2004 > Dr Watson on IIS 4.0





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Dr Watson on IIS 4.0
Barak Turovsky

2004-04-07, 6:56 am

Hi all,

I have a web site running on IIS 4.0 on Windows NT 4.0 Server SP6a.
The site is working perfectly for 3 years.
Recently i have a strange problem while the IIS is crashing giving the Dr.
Watson error very frequently.
From IIS logs i learn that that cause for the crash is the search command,
like this:

"18:39:16 68.236.52.230 SEARCH
/ 











































































































301"

After this command usually (not always) the server is crashing and i need to
restart it.

The regular (good) command looks like this:

21:29:57 192.168.145.24 GET / 301

Any ideas what could cause this crash and how to resolve the problem?

Thanks a lot,

Barak


Hilary Cotter

2004-04-07, 8:44 am

looks like some sort of buffer overflow. Do you know the IP address
68.236.52.230?
"Barak Turovsky" <baraktur@mail.ru> wrote in message
news:%23rs%23rSIHEHA.1432@TK2MSFTNGP12.phx.gbl...
> Hi all,
>
> I have a web site running on IIS 4.0 on Windows NT 4.0 Server SP6a.
> The site is working perfectly for 3 years.
> Recently i have a strange problem while the IIS is crashing giving the Dr.
> Watson error very frequently.
> From IIS logs i learn that that cause for the crash is the search command,
> like this:
>
> "18:39:16 68.236.52.230 SEARCH
>
/ 
[colo
r=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>
301"
>
> After this command usually (not always) the server is crashing and i need[/color]
to
> restart it.
>
> The regular (good) command looks like this:
>
> 21:29:57 192.168.145.24 GET / 301
>
> Any ideas what could cause this crash and how to resolve the problem?
>
> Thanks a lot,
>
> Barak
>
>


Barak Turovsky

2004-04-07, 11:10 am

hi Hilary,

No, i don't know the address, and there are many IP adresses which perfomr
the Search methods (although many of them are
from the same segment).

I'm afraid this is hackers attack..

Any ideas how to solve the issue? If it's buffer overflow, can it can be
resolved?

Thanks,

"Hilary Cotter" <hilaryk@att.net> wrote in message
news:%23zJ4$lJHEHA.3576@tk2msftngp13.phx.gbl...
> looks like some sort of buffer overflow. Do you know the IP address
> 68.236.52.230?
> "Barak Turovsky" <baraktur@mail.ru> wrote in message
> news:%23rs%23rSIHEHA.1432@TK2MSFTNGP12.phx.gbl...
Dr.
command,
>
/ 
[colo
r=darkred]
>

[col
or=darkred]
>

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
301"
need[color=darkred]
> to
>
>


Hilary Cotter

2004-04-07, 2:49 pm

you can block this IP address or range is IIS
"Barak Turovsky" <baraktur@mail.ru> wrote in message
news:u96V0jKHEHA.3904@TK2MSFTNGP12.phx.gbl...
> hi Hilary,
>
> No, i don't know the address, and there are many IP adresses which perfomr
> the Search methods (although many of them are
> from the same segment).
>
> I'm afraid this is hackers attack..
>
> Any ideas how to solve the issue? If it's buffer overflow, can it can be
> resolved?
>
> Thanks,
>
> "Hilary Cotter" <hilaryk@att.net> wrote in message
> news:%23zJ4$lJHEHA.3576@tk2msftngp13.phx.gbl...
> Dr.
> command,
>
/ 
[colo
r=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
> 301"
> need
>
>[/color]


Pat [MSFT]

2004-04-07, 11:36 pm

This looks like a known issue. Are you sure that you have the latest
Security Rollup patches for IIS?

Pat

"Hilary Cotter" <hilaryk@att.net> wrote in message
news:uW$459MHEHA.2876@TK2MSFTNGP09.phx.gbl...
> you can block this IP address or range is IIS
> "Barak Turovsky" <baraktur@mail.ru> wrote in message
> news:u96V0jKHEHA.3904@TK2MSFTNGP12.phx.gbl...
perfomr
the
>
/ 
[colo
r=darkred]
>

[col
or=darkred]
>

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
>[/color]

[col
or=darkred]
problem?
>
>


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com