January 2005 - Posts
So how do you restart an application pool manually ? I know there's many health check and perfomance option that you can configure via IIS MMC. But what if you really need to recycle it at command prompt. Well, you might think the /r flag in IisApp.vbs work. However, I just been told it's not!! (I can't verified this as I have SP1 installed) MS actually have an in-house vbs scripts called iisrecycle.vbs, I don't think I can post it here. Anyway, it's similar to this that can be found at IIS Scripting Repository.
Or get W2k3SP1, and the IisApp.vbs will works! Here's my test result:
Command Prompt -
-----
C:\Documents and Settings\Administrator>iisapp /a DefaultAppPool /r
Connecting to server ...Done.
Application pool 'DefaultAppPool' recycled successfully.
-----
Event Log -
-----
Event Type: Information
Event Source: W3SVC
Event Category: None
Event ID: 1079
Date: 1/27/2005
Time: 4:01:12 PM
User: N/A
Computer: GOGOGO
Description:
An administrator has requested a recycle of all worker processes in
application pool 'DefaultAppPool'.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-----
And of coz, I also make sure that the PID of the w3wp.exe changed after recycled.
Actually this is one of the reply I posted @ .tw.iis newsgroup -
Log file:
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2004-11-16 10:54:13
#Fields: time c-ip cs-username s-port cs-method cs-uri-stem sc-status
10:54:13 ip1 anonymous@ftp.microsoft.com 21 [135]USER anonymous@ftp.microsoft.com 331
10:54:13 ip1 - 21 [135]PASS - 530
11:48:04 ip2 anonymous 21 [136]USER anonymous 331
11:48:04 ip2 - 21 [136]PASS Cgpuser@home.com 530
13:50:27 ip3 Anonymous 21 [137]USER Anonymous 331
13:50:27 ip3 - 21 [137]PASS guest@my.net 530
17:40:30 ip4 anonymous 21 [138]USER anonymous 331
17:40:30 ip4 - 21 [138]PASS IEUser@ 530
17:40:30 ip4 anonymous 21 [139]USER anonymous 331
17:40:30 ip4 - 21 [139]PASS IEUser@ 530
17:40:41 ip4 Administrator 21 [140]USER Administrator 331
17:40:41 ip4 Administrator 21 [140]PASS - 230
Q&A:
1) what's the [135] and 331 stands for ? where do I look for the detail about this status code ?
A: First, the [135] in the cs-method field represents the 'connection id' for the IIS FTP. In this case, the first connection from ip1 is the 135th connection since service started
331 is the reply status code and it stands for “User name okay, need password“. This per RFC959 spec of coz. The next line with status code 530 represent that the user is not currently logged in, it could be failed to authenticate because of username/password, or the user account doesn't have required permissions or user right to logon. For complete status code and its description, you can refer this KB - IIS Status code.
2) My Win2k machine doesn't have anonymous@ftp.microsoft.com and I didn't allow anonymous access, is this user trying login by guessing the username ?
A: Yes, but I would say this is pretty useless, as this UPN (universal principal name) login has a domain of ftp.microsoft.com which I don't think you have anything to do with that (e.g. authenticate with that domain). so again, this is useless. if you see login like 'administrator', or random username that exist in your user database, then most likely that attacker is trying to login using a known username.
3) Hence, in the 2nd line PASS - 530 tells that the user didn't logged in, right ?
Yes, refer 1.
4) But between line 4 and 6, why there's a email address between PASS and 530 ?
Good question. You see, both line 3 and 5 indicate the users are trying to login anonymously and you see the cs-username as 'anonymous'. Even though with anonymous account, you still need to provide a password, it could be anything. but IIS FTP response with the following:
“331 Anonymous access allowed, send identity (e-mail name) as password.”
hence, most of the user will enter email address as the password. and for anonymous password, it is capture in the FTP log file.
5) The last two log entries indicating the user has logged on to ftp ?
Yes, because the status code for PASS is 230, which indicate a successful logon. However take note that, IIS will not store the logon user password in the log file.
6) At the last 3rd line, there's IEUser@ in the PASS field. why this is there ?
Well, this clearly tells us that the user is using IE. And by default IE will automatic login as anonymous when you browse a FTP site. hence you see the username 'anonymous' and the IEUser@ is just the password that IE use.
WOLF ! it's not a xbox game title. It's Windows OnLine Forensics, the Microsoft internal IR (incident response) toolkit. Take a look at this great story by Robert Hensing, one of the best hacking and investigation analysis that I have read.
I know this is a bit late :) well, I'm just been busy. Business trip to Ireland was almost HELL, when one of the SQL cluster pair experienced problem, took 6hrs and a call to MS PSS UK to fixed it, then there was a motorway (M1) closed in between for tunnel road work., have to take a reroute via other roads, and was lost for almost 2 hrs :( and lastly the weather. If you've been to Dublin during winter, you know what I mean. It's cold, windy and wet, I know the temperature didn't go below zero, but considering from my place it's a good drop of 30 degrees, during the last night of my stay it even snows for a night. I was driving back to the hotel, and the snows make it so difficult and danger to drive.
Anyway, back to the topic :) IIS Control Panel by Jake (IIS MVP) has now officially move to IIS-Resource.com by Jeffery (IIS MVP). Of coz, I hang out there as well. Read the complete news here.
It's OUT !!!!! finally, after a long time. It was due last year, but then some 'non-technical' issues hinder its release. Anyway, it's out now with tons of brand new features. You won't believe how capable this tiny application can do :) Here's the overiew from MS download page.
“Log parser is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows® operating system such as the Event Log, the Registry, the file system, and Active Directory®. You tell Log Parser what information you need and how you want it processed. The results of your query can be custom-formatted in text based output, or they can be persisted to more specialty targets like SQL, SYSLOG, or a chart.
Most software is designed to accomplish a limited numer of specific tasks. Log Parser is different... the number of ways it can be used is limited only by the needs and imagination of the user. The world is your database with Log Parser.”
Get it here ! Also, remember the last publication project I'm working on ? well, with the release - the book should be out soon. Be sure to get one yourself, I did the IIS section, but log parser is not just about IIS :) there's lot more you can do with log parser. For example, it support SYSLOG analysis, cool office chart output, firewall, IDS log files analysis as well.
811251 FIX: You receive the "530 User \username cannot log in" error message when you try to log on to an FTP site that is hosted by Internet Information Services 5.0
886810 The values in the Request.ClientCertificate object are not displayed correctly in IIS 6.0
835880 You receive a "400 – BadRequest" error message from Internet Information Services 6.0
890015 You receive a "The process cannot access the file because it is being used by another process" error message when you try to start a Web site in the Internet Information Services 6.0 MMC snap-in
886695 You receive an "Error 1053: The service did not respond to the start or control request in a timely fashion" error message when a service that uses the Local System account tries to start on a Windows Server 2003-based computer
Throttling Resources and Aiding Performance on IIS Using Windows System Resource Manager (WSRM) (Level 200)
Windows System Resource Manager (WSRM) is a new feature in Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition. WSRM helps administrators and developers ensure that resources are not consumed by one single application, which is especially important in a shared hosting environment. Learn the WSRM basics, as well as how to configure WSRM to monitor IIS resources.