Re: Strange server behavior.

[krymson () gmail com]

First thing, run ProcessExplorer (also from SysInternals) and select your offending w3wp process as given by the PID. 
Make sure you have the lower pane showing (View-> Show Lower Pane). This may give you an idea what site/application 
pool that particular w3wp.exe process is from.

That may help narrow down where you should be looking.

It is not uncommon for developers to include some strange code and tools in their sites, and my gut tells me that one 
of those may be phoning home or trying to check into various other places. Definitely not unheard of.

Some things like Ajax calls or web services can make strange calls out, even to Microsoft, to get updates and such. 
Usually they're not scattered, but ya never know what some developer in his basement makes that gets included in 
business use cases...

Second, if you're able to, install Wireshark on the box and see if you can capture some of the GETs. It kinda sounds 
like you've already been able to do this, but maybe do some Googling on what it's looking for?

Third, compare all the files for the offending site (if you're able to narrow it down) with those that your developers 
have on backup or in their source repository or development environments. You'll want to look to see if something new 
has shown up in production that isn't elsewhere. That might be a problem.

Fourth, check your installed software and don't rule anything out that isn't a Microsoft component or product. It is 
not unusual for workstations to exhibit behavior like this, but I would hope servers don't. You'll just want to make 
sure nothing strange is there, or someone else didn't install something you weren't expecting. Normally they shouldn't 
show up as coming from w3wp.exe, however.

Fifth, if you're hosting multiple sites and can't deduce which site may be making these calls out, you can either move 
some sites to a second box, or possible move some different IP addresses. Obviously, record your current state and take 
backups, since changing things with multiple sites in IIS can be...interesting...sometimes. If the calls are very 
predictable, perhaps during a maintenance window you can actually shut off (followed by an IIS restart) various 
sites/apps to see if you can catch where it is that way.

Sixth, getting really fancy, maybe you can update your local hosts file to point some of those called domains (assuming 
they're domain and not straight IP addresses) to "localhost." These then should show up in either your default site (a 
good practice to keep an empty one around) or the first site in your listing in IIS. You might even be able to 
manufacture a successful GET and see what happens? Again, you're making changes, so follow whatever practices keep you 
able to get back to your original state of things.

All of this is a decent start.


<- snip ->
I have a server 2003 box running IIS that seems to be walking through
URLS. I was looking into this machine for some other odd behavior when
I noticed this. This is a live Web server so no one would be on the
machine (in the typical sense anyway).

Most of the URL's appear to be commercial in nature, but cheesy, like
what you would see in SPAM. All that is in the requests is a GET and
there is no user agent. On the box, tcpview shows that the requests
belong to w3wp.exe.

AV scans on the box and malwarebytes are coming up empty.

What the heck is this?

Thanks.

-- 
Paul Halliday
http://www.pintumbler.org


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------