inetinfo.exe accessing ndwjn.dll

Hi!

We are running HIPS on our internal web servers, and I dont seem to be
able to find out any information regarding the below:

HIPS (Cisco CSA) Alert:
"TESTMODE: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as
user NT AUTHORITY\SYSTEM) attempted to access a resource which would
have resulted in the user being asked the following question. 'The
process C:\WINNT\system32\inetsrv\inetinfo.exe is attempting to modify
the system file C:\WINNT\system32\ndwjn.dll. Do you wish to allow
this?'"

I cant find any information about ndwjn.dll. I am guessing that it may
have something to do with Dr Watson, as I believe inetinfo is used for
debugging but cant get confirmation of this anywhere?

Extra info if this helps:
Server: WindowsNT 5.0.2195 Service Pack 4 [tS] (English)

Any help would be greatly appreciated!

cheers,

Re: inetinfo.exe accessing ndwjn.dll

Hi Again,

Same issue with another dll. Same as below but replace ndwjn.dll with
deskjn2x.dll

cheers! :-)

Darren Mease expressed precisely :
> Hi!
>
> We are running HIPS on our internal web servers, and I dont seem to be able
> to find out any information regarding the below:
>
> HIPS (Cisco CSA) Alert:
> "TESTMODE: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT
> AUTHORITY\SYSTEM) attempted to access a resource which would have resulted in
> the user being asked the following question. 'The process
> C:\WINNT\system32\inetsrv\inetinfo.exe is attempting to modify the system
> file C:\WINNT\system32\ndwjn.dll. Do you wish to allow this?'"
>
> I cant find any information about ndwjn.dll. I am guessing that it may have
> something to do with Dr Watson, as I believe inetinfo is used for debugging
> but cant get confirmation of this anywhere?
>
> Extra info if this helps:
> Server: WindowsNT 5.0.2195 Service Pack 4 [tS] (English)
>
> Any help would be greatly appreciated!
>
> cheers,

Re: inetinfo.exe accessing ndwjn.dll

Another one :-)

'C:\WINNT\system32\inetsrv\inetinfo.exe' accessing resource
'C:\WINNT\system32\scrrun.dll' - is this just inetinfo.exe trying to
write a log file or something?

In general the base CSA rules do not allow inetinfo any access to
*\WINNT\SYSTEM32\*.dll - is there a reference list anywhere of dlls
that inetinfo regularly uses? Will it be a major security concern to
allow this process to access any of the dlls?

This is becoming a little bit of a nightmare...

cheers!

Darren Mease pretended :
> Hi Again,
>
> Same issue with another dll. Same as below but replace ndwjn.dll with
> deskjn2x.dll
>
> cheers! :-)
>
> Darren Mease expressed precisely :
>> Hi!
>>
>> We are running HIPS on our internal web servers, and I dont seem to be able
>> to find out any information regarding the below:
>>
>> HIPS (Cisco CSA) Alert:
>> "TESTMODE: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT
>> AUTHORITY\SYSTEM) attempted to access a resource which would have resulted
>> in the user being asked the following question. 'The process
>> C:\WINNT\system32\inetsrv\inetinfo.exe is attempting to modify the system
>> file C:\WINNT\system32\ndwjn.dll. Do you wish to allow this?'"
>>
>> I cant find any information about ndwjn.dll. I am guessing that it may
>> have something to do with Dr Watson, as I believe inetinfo is used for
>> debugging but cant get confirmation of this anywhere?
>>
>> Extra info if this helps:
>> Server: WindowsNT 5.0.2195 Service Pack 4 [tS] (English)
>>
>> Any help would be greatly appreciated!
>>
>> cheers,

Re: inetinfo.exe accessing ndwjn.dll

scrrun.dll - MS Script Runtime (asp classic maybe? or any script lang wsh,
vbscript, jscript) probably need it..
deskjn2x.dll - hp deskjet printer? do you have IIS printers enabled? (a vdir
called printers)
ndwjn.dll - no clue, find where it is in the system and registry and try and
figure out what it belongs to.

Justin

"Darren Mease" wrote in message
news:mn.62997d7b4bd6e2a0.66302@yahoo.co.uk...
> Another one :-)
>
> 'C:\WINNT\system32\inetsrv\inetinfo.exe' accessing resource
> 'C:\WINNT\system32\scrrun.dll' - is this just inetinfo.exe trying to write
> a log file or something?
>
> In general the base CSA rules do not allow inetinfo any access to
> *\WINNT\SYSTEM32\*.dll - is there a reference list anywhere of dlls that
> inetinfo regularly uses? Will it be a major security concern to allow
> this process to access any of the dlls?
>
> This is becoming a little bit of a nightmare...
>
> cheers!
>
> Darren Mease pretended :
>> Hi Again,
>>
>> Same issue with another dll. Same as below but replace ndwjn.dll with
>> deskjn2x.dll
>>
>> cheers! :-)
>>
>> Darren Mease expressed precisely :
>>> Hi!
>>>
>>> We are running HIPS on our internal web servers, and I dont seem to be
>>> able to find out any information regarding the below:
>>>
>>> HIPS (Cisco CSA) Alert:
>>> "TESTMODE: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user
>>> NT AUTHORITY\SYSTEM) attempted to access a resource which would have
>>> resulted in the user being asked the following question. 'The process
>>> C:\WINNT\system32\inetsrv\inetinfo.exe is attempting to modify the
>>> system file C:\WINNT\system32\ndwjn.dll. Do you wish to allow this?'"
>>>
>>> I cant find any information about ndwjn.dll. I am guessing that it may
>>> have something to do with Dr Watson, as I believe inetinfo is used for
>>> debugging but cant get confirmation of this anywhere?
>>>
>>> Extra info if this helps:
>>> Server: WindowsNT 5.0.2195 Service Pack 4 [tS] (English)
>>>
>>> Any help would be greatly appreciated!
>>>
>>> cheers,
>
>

Re: inetinfo.exe accessing ndwjn.dll

I think you will have to reevaluate the use and effectiveness of your
HIPS configuration.

In general, inetinfo.exe can execute legitimate user code in LOB web
applications, and user code can cause any DLL to load, so inetinfo.exe
may legitimately execute any DLL.

On the other hand, inetinfo.exe can also be hijacked by hackers and
illegitimately execute any DLL/EXE.

How do you plan to distinguish who controls inetinfo.exe and whether
their action is legitimate? Trying to limit things by simply
disallowing WINNT\SYSTEM32\*.dll will not be effective and produce
lots of false positives, as you have clearly found out, and asking why
inetinfo.exe is loading this DLL or that DLL is simply not the right
approach. You can spend a long time tuning the configuration, but
until you can enumerate what code is running in inetinfo.exe and what
dependencies it has, you will keep getting false positives.

For example, inetinfo.exe has no linkage dependency on scrrun.dll.
However, it is possible that you have ASP page running in Low
Isolation, which will run in inetinfo.exe, and the ASP page can
reference the WScript object and bam, you see that warning. Now, this
particular ASP page may be doing something benign, but what if another
ASP page has a security vulnerability such that it can be exploited to
use WScript to do something nefarious.

I would think that you expect security systems to detect such
nefarious actions, but in this case, how do you plan to distinguish a
benign intent from a malicious one They both look like ASP page in
inetinfo.exe loading scrrun.dll.

To me, the security system you enabled is ineffective. Trying to
restrain file access by processes is hopeless when you have no easy
way to define the dependency surface area of a process.

It's like you buying an untrained pet, and you have to spend all the
time training it. Personally, I prefer to have trained pets if I'm
paying the big bucks; unless you happen to like training pets.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//





On Nov 12, 3:05 am, Darren Mease wrote:
> Another one :-)
>
> 'C:\WINNT\system32\inetsrv\inetinfo.exe' accessing resource
> 'C:\WINNT\system32\scrrun.dll' - is this just inetinfo.exe trying to
> write a log file or something?
>
> In general the base CSA rules do not allow inetinfo any access to
> *\WINNT\SYSTEM32\*.dll - is there a reference list anywhere of dlls
> that inetinfo regularly uses? Will it be a major security concern to
> allow this process to access any of the dlls?
>
> This is becoming a little bit of a nightmare...
>
> cheers!
>
> Darren Mease pretended :
>
>
>
> > Hi Again,
>
> > Same issue with another dll. Same as below but replace ndwjn.dll with
> > deskjn2x.dll
>
> > cheers! :-)
>
> > Darren Mease expressed precisely :
> >> Hi!
>
> >> We are running HIPS on our internal web servers, and I dont seem to be able
> >> to find out any information regarding the below:
>
> >> HIPS (Cisco CSA) Alert:
> >> "TESTMODE: The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT
> >> AUTHORITY\SYSTEM) attempted to access a resource which would have resulted
> >> in the user being asked the following question. 'The process
> >> C:\WINNT\system32\inetsrv\inetinfo.exe is attempting to modify the system
> >> file C:\WINNT\system32\ndwjn.dll. Do you wish to allow this?'"
>
> >> I cant find any information about ndwjn.dll. I am guessing that it may
> >> have something to do with Dr Watson, as I believe inetinfo is used for
> >> debugging but cant get confirmation of this anywhere?
>
> >> Extra info if this helps:
> >> Server: WindowsNT 5.0.2195 Service Pack 4 [tS] (English)
>
> >> Any help would be greatly appreciated!
>
> >> cheers,- Hide quoted text -
>
> - Show quoted text -