Solved

IIS 5.0 Web & FTP service terminated unexpectedly

Posted on 2001-08-11
33
2,700 Views
Last Modified: 2008-03-17
My web and ftp services are terminating w/out apparent reason or explanation. I need help troubleshooting it. No clue where to start.

If I "start" the service from the IIS console, it just stops again after a few seconds.

Yesterday I re-started the IIS service completely (from the IIS console) and I thought that had solved the problem, but the services terminated again after about 10-11 minutes).

The event log shows 3 errors (below) and afterwards there are two informational entries where the NT AUTHORITY \ SYSTEM first stops then starts the service.

These are the errors I see:

Event Type:     Error
Event Source:     Service Control Manager
Event Category:     None
Event ID:     7031
Date:          8/10/2001
Time:          11:32:23 PM
User:          N/A
Computer:     HDZSERVER
Description:
The World Wide Web Publishing Service service terminated unexpectedly.  It has done this 167 time(s).  The following corrective action will be taken in 0 milliseconds: No action.

Event Type:     Error
Event Source:     Service Control Manager
Event Category:     None
Event ID:     7031
Date:          8/10/2001
Time:          11:32:23 PM
User:          N/A
Computer:     HDZSERVER
Description:
The FTP Publishing Service service terminated unexpectedly.  It has done this 167 time(s).  The following corrective action will be taken in 0 milliseconds: No action.

Event Type:     Error
Event Source:     Service Control Manager
Event Category:     None
Event ID:     7031
Date:          8/10/2001
Time:          11:32:23 PM
User:          N/A
Computer:     HDZSERVER
Description:
The IIS Admin Service service terminated unexpectedly.  It has done this 51 time(s).  The following corrective action will be taken in 1 milliseconds: Run the configured recovery program.


0
Comment
Question by:dcgames
33 Comments
 
LVL 37

Accepted Solution

by:
meverest earned 100 total points
ID: 6378881
have you applied your IIS patches (especially "code red")?

download and apply them right away.

it is most likely idq.dll buffer overrun attack.

see http://support.microsoft.com/support/kb/articles/Q300/9/72.ASP?LN=EN-US&SD=gn&FR=0&qry=idq.dll&rnk=4&src=DHCS_MSPSS_gn_SRCH&SPR=IIS for the patch.

this one (plus Win2K SP2) will cover you for all attacks.
0
 
LVL 5

Expert Comment

by:dredge
ID: 6380748
I agree with meverest.
0
 
LVL 5

Author Comment

by:dcgames
ID: 6380840
Ok. I'll try tonight. But the patch description didn't say anything in the sympthoms about the service crashing.

Dave
0
 
LVL 5

Expert Comment

by:dredge
ID: 6380863
Denial Of Service (DOS, or Distrubted DOS) always end up in services crashing. that's whey they are called Denial Of Service.
0
 
LVL 37

Expert Comment

by:meverest
ID: 6382566
if you want to be sure, check your web server logs.  you'll almost certainly find hits on idq.dll with some big Loooong string like 'NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN....NNNNNNNNNNNNNNNN'

cheers.
0
 
LVL 5

Author Comment

by:dcgames
ID: 6385263
I checked McAfee's description of Code Red. That's not it.

I've got McAfee Server installed on this also, as well as BlackIce Defender. Neither are complaining.

The log has no entries other than "terminated unexpectedly".

E-Mail works (SMTP), but the web and ftp services are down.

I will probably do a Windows Update tonight anyway (couldn't do it last night), but it doesn't seem to be a virus.

Could this be LICENSE related? There was a warning on the event log that said that license replication could not take place because the licensing server was not accessible.

The server it referenced was an old server that was removed and replaced by the current one (old doesn't exist any more). I deleted the old entry and the warning stopped occuring, so I guess it was just a "failure to synchronize" kind of deal.

It's been 48 hrs and the licensing message has not recurred, nor are there any other errors, but web and ftp services still crash.

Dave
0
 
LVL 5

Expert Comment

by:dredge
ID: 6385273
web & ftp services from MS don't look at licensing.

the symptoms you describe fit exactly what happens when you get the code red worm, or another worm/trojan horse that exploits the buffer overrun problems in IIS, despite what you think mcafee is saying.
0
 
LVL 5

Author Comment

by:dcgames
ID: 6385290
Ok. I unfortunately couldn't do the upgrade last night, so I could only check for "tell-tales", such as files in certain places, etc.

I will try again tonight and let you know what happened.

Dave
0
 
LVL 5

Author Comment

by:dcgames
ID: 6385587
Ok. I went home on my lunch break and installed the latest "security patch" with Windows Update.

Rebooted and the site is still up 30 minutes later. So, while it wasn't "Code Red" it certainly was SOMETHING akin to it.

I also checked and the "Critical Update" thingy (the one that tells you a security patch is available) wasn't installed, so that's why I didn't know the code red patch wasn't installed. I ran Windows Update in May, so I did not think I was vulnerable to that worm.

Dredge, I'll give you some points also in the same folder. Look for "Points for dredge" and post a comment.


Dave
0
 
LVL 37

Expert Comment

by:meverest
ID: 6386342
hi,

code red is just some dumb name for a scripted DoS attack that exploits the index server buffer overrun vulnerability.  what you experienced may not necessarily be this actual 'code red' attack, it is still caused by the same vulnerability.

what you experienced is more likely to be the first version of this exploit that showed up mid june sometime.

if you check your logs, you will see it (refer above)

cheers.
0
 
LVL 5

Author Comment

by:dcgames
ID: 6388474
Hmm..

What log would I look into? And how do I look into it. I thought you meant the Event Logs but I gather you are talking about some other logs?

In the event logs I don't see anything. This just started happening with no other log entries besides "terminated unexpectedly".

Dave
0
 

Expert Comment

by:Wrighteous1
ID: 8524829
I have heard of this problem recently. My company and some of our clients have experienced this problem.
There does not seem to be a fix for this problem. at least not one posted by MS.

As MS is well known for "WORKAROUNDS", I HOPE THIS ONE HELPS.
In the properties of the failed services on the windows 2000 server. you can configure the service to restart after the failure.

Go to-> SERVICES under the... "you know where it is".
GO TO the most important one, INFORMATION STORE and double click or select properties.
GO TO-> the RECOVERY TAB.
The default is set to take no action. for the first, second and subsequent failures.
change it to restart the service. change ALL of them if you have frequent problems and or are paranoid.
select the restart time. 1 minute is the default and should be left as is.

I REALLY HOPE THIS HELPS. IT IS NOT A FIX, BUT IT SHOULD SAVE YOU A TRIP TO THE SERVER @ 2AM TO RESTART THE CEO'S E-MAIL.

Ken Wright
Comments: ken@wodonnell.com
0
 

Expert Comment

by:Wrighteous1
ID: 8524873
ADDENDUM to previous post: Sorry for the repetition!

I have heard of this problem recently. My company and some of our clients have experienced this problem.
There does not seem to be a fix for this problem. at least not one posted by MS.

As MS is well known for "WORKAROUNDS", I HOPE THIS ONE HELPS.
In the properties of the failed services on the windows 2000 server. you can configure the service to restart after the failure.

Go to-> SERVICES under the... "you know where it is".
GO TO the most important one, and double click or select properties.
GO TO-> the RECOVERY TAB.
The default is set to take no action. for the first, second and subsequent failures.
change it to restart the service. change ALL of them if you have frequent problems and or are paranoid.
select the restart time. 1 minute is the default and should be left as is.

perform this for all of the failed services
FTP, IIS, SMTP, NNTP, WWW.....

I REALLY HOPE THIS HELPS. IT IS NOT A FIX, BUT IT SHOULD SAVE YOU A TRIP TO THE SERVER @ 2AM TO RESTART THE CEO'S E-MAIL.

Ken Wright
Comments: ken@wodonnell.com
0
 

Expert Comment

by:Wrighteous1
ID: 8525086
ADDENDUM to previous post: Sorry for the repetition!

I have heard of this problem recently. My company and some of our clients have experienced this problem.
There does not seem to be a fix for this problem. at least not one posted by MS.

As MS is well known for "WORKAROUNDS", I HOPE THIS ONE HELPS.
In the properties of the failed services on the windows 2000 server. you can configure the service to restart after the failure.

Go to-> SERVICES under the... "you know where it is".
GO TO the most important one, and double click or select properties.
GO TO-> the RECOVERY TAB.
The default is set to take no action. for the first, second and subsequent failures.
change it to restart the service. change ALL of them if you have frequent problems and or are paranoid.
select the restart time. 1 minute is the default and should be left as is.

perform this for all of the failed services
FTP, IIS, SMTP, NNTP, WWW.....

I REALLY HOPE THIS HELPS. IT IS NOT A FIX, BUT IT SHOULD SAVE YOU A TRIP TO THE SERVER @ 2AM TO RESTART THE CEO'S E-MAIL.

Ken Wright
Comments: ken@wodonnell.com
0
 

Expert Comment

by:rgodwin
ID: 8608688
The same thing is happening to my server (IIS Admin Service terminated unexpectedly).  It started May 24.  I looked up Code Red II on the Symantec site and ran the check&fix tool.  It didn't find any remnant of the worm.  Thanks Ken for the workaround.  Does anyone know what triggers the error?  We were running along just fine until last week.

Randy Godwin
randygodwin@yahoo.com
0
 

Expert Comment

by:jimmyss80
ID: 8630466
I had this problem once, and even though microsoft says that it point to the code red worm, when i ran the tool it said it didn't find anything.
After further researching on microsoft site i found out that the II database was corrupted. ONce iunistalled and reinstalled IIS, r
eloaded exchange and remounted the database it never stopped again. look at an article on microsoft on how to reinstall IIS
on exchange. hope this helps it worked for me.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Expert Comment

by:brookd12
ID: 8696632
I have had the same Crashing of IIS Admin, World Wide Web Publishing, FTP recently. It only just started happening and happens irregularly. Twice in the last two days.
I do not have code red and have looked through URlScans logs and IIS logs. Everything looks normal. I ran windows update and I have all the required patches and updates. BTW, service pack 3.

My real problem is that I have set the services to Restart on Failure, but when they fail they still say "take no action"!  Has any one heard of this setting not working and failing.  

Thansk!
0
 

Expert Comment

by:cl0
ID: 8717651
I  had the same problem on W2K SP3 server, neither  my server had  the code red worm nor IIS accept .ida,idq,htw,htr,cdx,shtm, shtml extension.
I  had a look into the  log of the web server without notice any strange request.
Are any of you aware of any fix about this problem?
Thanks a lot
0
 

Expert Comment

by:seanpj
ID: 8730983
The same problem here.
I've been running IIS server for at least 3 months and suddenly around the end of May
I started to experience the 7031 Event ID from Service Control Manager. It happens
3-4 times a week and the usual course of events is:

1/ 5 - 10 times Service Control Manager event #7031 for IIS Service and it's
dependents (FTP, SMTP, WWW). These system events happen about 2 - 10 minutes apart.
Each of these is followed by IISCTLS events 2,1 that indicate restart of IIS

2/ Then it ends with MSFTPSVC, SMTPSVC and W3SVC errors with event ID 115.
And that's it. The only thing that helps is to reboot the server.

I have WIN 2000 SP3 and I have already re-formatted and rebuilt the system
from scratch 2 times. Nothing seems to help.

Will appreciate any comments
Sean
0
 

Expert Comment

by:cl0
ID: 8747735
Hi all,

I've install the following patches  on the system:

Q815021
Q327696
Q811114

the last two are cumulative patch for IIS, ad all of them contains the webDAV  fix.
It's about 1 day that the site is up without any problem, i hope this help to fix  the problem.
Please let me konw.
Regards
Claudio
0
 

Expert Comment

by:DavidTTV
ID: 8747847
Hi everyone.

Finally a thread that discusses the problem we have.

We have a vital FTP and W3 server (public, but only for our customers and very locked to port 80 with our FW.) that has these "unexplained" crashes.

"The World Wide Web Publishing Service service terminated unexpectedly.  It has done this 112 time(s).  "

It has happened some time in february, then it was calm for a little while until april, then in middle of may and now 2003-06-17.

It seems to work ok after youv'e restarted the IIS a couple of times. But it has happened that we've had problems for days.

The interesting thing about this thread is that there are postings in august 2001 and then nothing until in may 2003.
Is there some patch that Microsoft released this year that causes this or is it a worm (suggested above).

I did a complete scan with Symantec Antivirus (with def file from 2003-06-11) and found nothing. The IIS LogFiles says nothing unusual either (if it was an attack).

If someone finds a solution please post it here (I will if I find one ;-).

/David.
0
 

Expert Comment

by:brookd12
ID: 8760013
Yeah but, does 1 or 2 days without the crash prove anything? How often were you crashing before?
My crashing is very irellgular. Sometimes once a week, then again 3 weeks later, then again two months later.
It's all over the place.

Also, I did not install any of the latest patches because a) I do not use WEBDAV and it is disabled b) I am up to date with patches that I NEED
and do not want to install the latest cumulative patch because I do not need it all...




Hi all,

I've install the following patches  on the system:

Q815021
Q327696
Q811114

the last two are cumulative patch for IIS, ad all of them contains the webDAV  fix.
It's about 1 day that the site is up without any problem, i hope this help to fix  the problem.
Please let me konw.
Regards
Claudio
0
 

Expert Comment

by:cl0
ID: 8764954
You were  right, few days whitout crash doesn't prove that the patch work.
I had the crash on that sever very often the 3 day before i applied the patch and the server is still up and running now.
It's just a test to find the solution, i've installed those patches because i was sure that the system and our application can't be dameged from the installation and maybe them could fix somethings .
0
 

Expert Comment

by:pwu
ID: 8817263
Hi, All;

We have experienced the same problem last month.....IIS, WWW, SMTP, FTP would stop after running for a while.

Then we have upgrade the w2k advanced server from SP3 to SP4. Then it up and running without error since then.

I hope it help
Paul
0
 

Expert Comment

by:DavidTTV
ID: 8826754
SP4 is just a few days old (release june 26?)...

Like a previous post by brookd12. Date: 06/19/2003 10:31AM PDT  :
>Yeah but, does 1 or 2 days without the crash prove anything?  

pwu: Post a comment in two weeks or something ;-).
0
 

Expert Comment

by:seanpj
ID: 8859557
To Claudio:,

regarding your comment from  06/18/2003

>I've install the following patches  on the system:
>Q815021
>Q327696
>Q811114
> ...It's about 1 day that the site is up without any problem, i hope this help to fix  the problem.
>Claudio

I am just about to install the patches.  HOW IS YOUR SYSTEM DOING SINCE YOU APPLIED THEM ???

Thanks, Sean
0
 

Expert Comment

by:cl0
ID: 8859995
Well Sean,
it seems to work, since i patch the system till  now (5 july 03) i had no down.
I'm  installing that patches right now on another system.
Regards
Claudio

0
 

Expert Comment

by:cl0
ID: 8863253
Hi,
it happened again today (6 july  03)!
Let see if the SP4 fix the  problem!!
Claudio
0
 

Expert Comment

by:hicculus
ID: 8996271
Hi,
Does anyone have some post SP4 installation feedback?  we're having the same problem as all above.

Thanks!
0
 

Expert Comment

by:pwu
ID: 9000077
Since we have applied SP4 the IIS/SMTP etc have not crashed again.

0
 

Expert Comment

by:seanpj
ID: 9017166
I couldn't install the SP4 since it does not exist in Czech version. I only applied the following hot fixes
Q321599
Q327696
Q815021
Q815021
The system was running without any crashes from 7/5/2003 until 7/24/2003 ( as opposed to
crashing almost daily before the application of pathes).  I was just about to declare the
final victory, but I had the same crash (7031) on 7/24/2003. Well at least it improved
the crash rate. I'll keep you posted.
sean
0
 

Expert Comment

by:seanpj
ID: 9017544
OOPS , I goofed up.

I have just learned that one of my friendly associates caused the 7031 on 7/24/2003
(as I mentioned in my previous post). So,  the conclusion is (so far):

THERE HAVE BEEN NO UNSOLICITED CRASHES SINCE I'VE INSTALLED THE
HOT FIXES MENTIONED IN THE PREVIOUS POST (dated 07/27/2003 09:22PM PDT )

sean
0
 

Expert Comment

by:tremblyj
ID: 9923936
Just migrated intranet to a new server.
Now I'm getting the 7031 crashes!!!   I have Windows 2000 SP4 with all of the critical updates, Exchange 5.5 SP4 OWA and Cold Fusion 4.5.1 SP2

We had NT 4.0 SP6a with all critical updates, Exchange 5.5 SP4 OWA and Cold Fusion 4.01 on the previous server and it did not crash like this.

I've reapplied 2000-SP4 and reinstalled Cold Fusion.  I looked at the IIS log and found that OWA was being accessed at the time of the crash.

Maybe a reinstallation of OWA is in order...

John T.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now