This sounds just like what happened here. Ended up uninstalling and then reinstalling WiTango server and so far it seems OK.
Couple people mentioned the virus, and maybe it is, but the machine didn't have any traces of the virus and all patches were applied with no success. For us it was giving a 500 error on every third page load exactly but if you refreshed the page would display. ----- Original Message ----- From: "Wilcox, Jamileh (HSC)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 14, 2003 9:56 AM Subject: Witango-Talk: server being hacked? Tango2000 on Windows2000 Server SP3, IIS5. Should be up to date on windows patches & hotfixes. I've got a server acting up. When I saw it last night, I thought it was a remnant of our ongoing battle with Blaster, but today I'm not so sure. The server has been patched and cleaned. Everything works fine for a bit after we reboot, and then it all starts going wonky again. My network admin is looking at that angle. I keep having problems connecting to the server using Terminal Services (when I open management tools, I get errors saying that it can't connect to the server). At the moment, IIS doesn't even show up in the Computer Management console. IIS is working - the website is up - but Tango is down (gives an HTTP 500 - Internal server error). Neither the T4Events.log nor the Tango.log show anything unusual. Tango was working this morning and then quit; the log shows the last valid search was 9.47 this morning After that, there's just no entries for Tango activity. I'm seeing weird stuff in the IIS logs. However, not just on .taf files, it's on everything. Is this the Tango hack? Or something else? Any advice or suggestions would be appreciated. Thanks! jamileh Last activity in the Tango log: 14/08/2003 09:46:54 157.142.161.14 [EMAIL PROTECTED] 1104 1 433 [Application File] END /finder/default.taf 14/08/2003 09:46:54 157.142.161.14 [EMAIL PROTECTED] 1104 1 433 [Thread] Returning results 14/08/2003 09:46:54 157.142.161.14 [EMAIL PROTECTED] 1104 1 433 [Thread] Stop processing Concurrent (I think) IIS log: 2003-08-14 14:46:54 157.142.161.14 - 157.142.79.242 80 GET /finder/default.taf - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:46:54 157.142.161.14 - 157.142.79.242 80 GET /finder/head.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:46:54 157.142.161.14 - 157.142.79.242 80 GET /images/help.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:47:00 157.142.161.14 - 157.142.79.242 80 GET /intra/ - 302 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:47:00 157.142.161.14 - 157.142.79.242 80 GET /intra/index.html - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:47:00 157.142.161.14 - 157.142.79.242 80 GET /images/docsyn.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:47:00 157.142.161.14 - 157.142.79.242 80 GET /intrafooter.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:47:03 157.142.162.68 - 157.142.79.242 80 GET /index.html - 304 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461) 2003-08-14 14:48:04 65.245.128.124 - 157.142.79.242 80 GET /index.html - 200 Mozilla/4.0 2003-08-14 14:48:06 164.58.144.190 - 157.142.79.242 80 GET /index.html - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:48:09 164.58.144.190 - 157.142.79.242 80 GET /group1.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:48:09 164.58.144.190 - 157.142.79.242 80 GET /images/docsyn.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:48:09 164.58.144.190 - 157.142.79.242 80 GET /head.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:48:11 164.58.144.190 - 157.142.79.242 80 GET /intrafooter.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:48:40 157.142.79.47 - 157.142.79.242 80 GET /index.html - 304 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:48:40 157.142.79.47 - 157.142.79.242 80 GET /head.jpg - 304 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:48:40 157.142.79.47 - 157.142.79.242 80 GET /group1.jpg - 304 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:48:40 157.142.79.47 - 157.142.79.242 80 GET /images/docsyn.jpg - 304 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:48:40 157.142.79.47 - 157.142.79.242 80 GET /intrafooter.jpg - 304 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 2003-08-14 14:53:14 157.142.139.163 - 157.142.79.242 80 GET /phonecenter/PhCtrClinics.taf _ClinID=106Out-of-process+ISAPI+extension+request+failed. 500 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Hotbar+4.1.8.0) Here's a sample from early this morning (didn't take Tango out): 2003-08-14 00:14:48 216.240.146.129 - 157.142.79.242 80 GET /index.html - 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+NT;+DigExt;+DTS+Agent 2003-08-14 01:05:42 68.40.168.242 - 157.142.79.242 80 GET /index.html - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:05:42 68.40.168.242 - 157.142.79.242 80 GET /head.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:05:42 68.40.168.242 - 157.142.79.242 80 GET /images/docsyn.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:05:42 68.40.168.242 - 157.142.79.242 80 GET /intrafooter.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:05:42 68.40.168.242 - 157.142.79.242 80 GET /group1.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:07:01 68.40.168.242 - 157.142.79.242 80 GET /index.html - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:07:01 68.40.168.242 - 157.142.79.242 80 GET /head.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:07:01 68.40.168.242 - 157.142.79.242 80 GET /images/docsyn.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:07:01 68.40.168.242 - 157.142.79.242 80 GET /intrafooter.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:07:01 68.40.168.242 - 157.142.79.242 80 GET /group1.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:07:06 68.40.168.242 - 157.142.79.242 80 GET /physicians.html - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:07:06 68.40.168.242 - 157.142.79.242 80 GET /head.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:07:06 68.40.168.242 - 157.142.79.242 80 GET /intrafooter.jpg - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:07:06 68.40.168.242 - 157.142.79.242 80 GET /images/mamo.gif - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) 2003-08-14 01:07:10 68.40.168.242 - 157.142.79.242 80 GET /finder/default.taf - 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+U8Cqkx0pc.38JtLN;+YWQ qulzc5c1z.oQi;+.NET+CLR+1.1.4322) ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
