What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.
Course Of The Month
6 days, 3 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
IIS error - CISCO SECURITY?
Posted on 2013-01-06
I have a strange IIS error. Running IIS web server, Win 2003. One web page on my server, announcements.asp, gives an error screen (see attached screen shot). If I rename or copy the file to: test2.asp, the webpage opens way it always has...
I am stumped - any ideas as to why this would suddenly happen or where I should look to clear this up? It does not appear to deliver a payload, and I have scanned for virus and malware with no hits... The server is running slow, so I am suspicious something is amiss, but I am not seeing an error... No other pages on my server are doing this that I can see... No changes in permissions either...
GRRRRrrr. Any help is apprecaited!
error-screen.pdf
I am stumped - any ideas as to why this would suddenly happen or where I should look to clear this up? It does not appear to deliver a payload, and I have scanned for virus and malware with no hits... The server is running slow, so I am suspicious something is amiss, but I am not seeing an error... No other pages on my server are doing this that I can see... No changes in permissions either...
GRRRRrrr. Any help is apprecaited!
error-screen.pdf
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
5-
5
2
12 Comments
I checked the weblog on the server, it appears to be delivering the pages the same:
2013-01-07 02:18:20 W3SVC1 10.70.24.2 GET /brown/announcements.asp - 80 - 173.88.253.196
2013-01-07 02:18:26 W3SVC1 10.70.24.2 GET /brown/test2.asp - 80 - 173.88.253.196
2013-01-07 02:18:20 W3SVC1 10.70.24.2 GET /brown/announcements.asp - 80 - 173.88.253.196
2013-01-07 02:18:26 W3SVC1 10.70.24.2 GET /brown/test2.asp - 80 - 173.88.253.196
Active 1 day ago
there are a cisco device or software with contentfilter.
this device or softwarte has classified the page (or the part with "announcements.asp") as google/search-engine. And it is configured to block this category.
you have to configure this device to not block this page...
also the most vendors use databeses with site-/page-classifications
which cisco solution do you use?
this device or softwarte has classified the page (or the part with "announcements.asp") as google/search-engine. And it is configured to block this category.
you have to configure this device to not block this page...
also the most vendors use databeses with site-/page-classifications
which cisco solution do you use?
That is the rub - I don't use a Cisco Web security device... We are a K12 school district and I do have filtering and firewall, but neither is a Cisco device... So now I am wondering if there is one downstream from me.
Active 1 day ago
content filtering can be implemented within IOS routers also ...
http://www.techrepublic.com/blog/networking/filter-web-content-with-cisco-ios-routers/732
http://www.cisco.com/en/US/products/ps6643/index.html
tell me more about your environment please.
the webserver is configured within the lan or the DMZ or external at the provider ??
the problem is at you internal clients also? (from external i am able to see the error)
... how about renaming the page ?
http://www.techrepublic.com/blog/networking/filter-web-content-with-cisco-ios-routers/732
http://www.cisco.com/en/US/products/ps6643/index.html
tell me more about your environment please.
the webserver is configured within the lan or the DMZ or external at the provider ??
the problem is at you internal clients also? (from external i am able to see the error)
... how about renaming the page ?
Active 1 day ago
ok, every time i open the page i can see another reason (Application/Category)
The error occurs if you try to open the page at the server directly also?
if so, you have something within the IIS- ASP- engine, the ISAPI filter ...
... now i understand your question :-)
The error occurs if you try to open the page at the server directly also?
if so, you have something within the IIS- ASP- engine, the ISAPI filter ...
... now i understand your question :-)
I looked at the ASP and the web server pretty hard before posting as I thought that was the issue too, but did not find anything there. Likewise, a virus scan and malware scan did not bring up anything...
I think our ISP has CISCO filtering. I am waiting on call back. I do not have any filtering using any of my cisco products...
If I rename the file, it delivers fine. It works on the server itself, and if I access from within my network (using any file name), the file is delivered fine (which really points me towards this being something outside of our network/control).
I think our ISP has CISCO filtering. I am waiting on call back. I do not have any filtering using any of my cisco products...
If I rename the file, it delivers fine. It works on the server itself, and if I access from within my network (using any file name), the file is delivered fine (which really points me towards this being something outside of our network/control).
Active 1 day ago
renaming the page is not an option?
you can try to capture the send content (possible send to me) to check your webserver send the correct content .... while i see the error-page.
tell me if you need this - or more infos about how.
you can try to capture the send content (possible send to me) to check your webserver send the correct content .... while i see the error-page.
tell me if you need this - or more infos about how.
Active today
Looks to me like from Cisco URL filtering (I was still thinking of Application Visibility and Control (AVC) engine but that is far from this discussion). The filter has the application and category spelled out [1]. Typically, Local filtering mode: Content Filtering always first tries to match the requested URL with the local black and white lists. If a match is not found, Cisco IOS Software then consults the TRPS server to categorize the requested URL
[0] http://www.cisco.com/en/US/docs/security/asacx/9.0/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_0_chapter_012.html#concept_8141E67177A9422A8BDDF73666F4DD63
I know of Cisco at upstream in the ISP level to provide the depth in DDoS protection, specifically relying on Cisco Traffic Anomaly Detector XT and Guard. It is transparent to user. But really strange why you seeing such block from ISP (or upstream) level, they wouldnt have done it unless requested or otherwise. Reputation calculation to categorise as malicious ... [1] . but likewise Cisco can have other URL filtering [2]
[1] http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89-492776.html
[2] http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml
I did other checks and minimally there is no alerts or malicious report www.ravenna.portage.k12.oh.us
if you check out safe google browsing [3] or urlvoid [4]
[3] http://www.google.com/safebrowsing/diagnostic?site=http://www.ravenna.portage.k12.oh.us/brown/announcements.asp
[4] http://www.urlvoid.com/scan/ravenna.portage.k12.oh.us/
cisco block page at this level but will be good to take a look at the HTTP header return (see the referrer and X-Forwarder) - I dont have the tools right now. From the source IP to check where it is coming from and trace back
[0] http://www.cisco.com/en/US/docs/security/asacx/9.0/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_0_chapter_012.html#concept_8141E67177A9422A8BDDF73666F4DD63
I know of Cisco at upstream in the ISP level to provide the depth in DDoS protection, specifically relying on Cisco Traffic Anomaly Detector XT and Guard. It is transparent to user. But really strange why you seeing such block from ISP (or upstream) level, they wouldnt have done it unless requested or otherwise. Reputation calculation to categorise as malicious ... [1] . but likewise Cisco can have other URL filtering [2]
[1] http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89-492776.html
[2] http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml
I did other checks and minimally there is no alerts or malicious report www.ravenna.portage.k12.oh.us
if you check out safe google browsing [3] or urlvoid [4]
[3] http://www.google.com/safebrowsing/diagnostic?site=http://www.ravenna.portage.k12.oh.us/brown/announcements.asp
[4] http://www.urlvoid.com/scan/ravenna.portage.k12.oh.us/
cisco block page at this level but will be good to take a look at the HTTP header return (see the referrer and X-Forwarder) - I dont have the tools right now. From the source IP to check where it is coming from and trace back
Active today
also saw cisco has scansafe in its portfolio, hopefully not its doing as it also looks at URL reputation
http://www.scansafe.com/deployment
http://www.cisco.com/en/US/products/ps12828/serv_group_home.html
http://www.scansafe.com/deployment
http://www.cisco.com/en/US/products/ps12828/serv_group_home.html
The issue has been identified as coming downstream from our ISP. They have the CISCO device and have it set the web filter to filter both in and out going web responses. The issue is supposed to be fixed today. Thank you for your excellent help!
I picked my answer as a solution because it documents what is really happening to us. That said, the posts from the contributing experts were invaluable for me to fully understand the problem, ID and pinpoint the responsible party and force the resolution and I belive that these posts will help others who may find this issue. Thank you again!!!!!
Featured Post
Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Suggested Solutions
| Title | # Comments | Views | Activity |
|---|---|---|---|
| PHP 5.6 and 7.x | 4 | 51 | |
| FTP welcome message | 7 | 62 | |
| Exchange OWA website Redirection | 7 | 81 | |
| Need to update SSL certificate on SBS 2011 | 7 | 79 |
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
- Windows OS
- Windows XP
- Windows 7
- Mac OS X
- Windows 10
- Windows 8, Software-Other, System Utilities, Vulnerabilities, Web Browsers
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.
https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt
https://filedb.experts-exchange.com/incoming/201…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…
Suggested Courses
Course of the Month6 days, 3 hours left to enroll
734 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.