Help w/IIS5, CPU Utilization... & Active Perl...

TheMSsForum.com: The Microsoft Software Forum

Hello all!

I need help w/a client's server we host.

After using the IISLockdown tool and configure URLScan all seem fine.
However, the client has scripts on their sites that have the .plx extension.
Over a short time, [within a day] CPU utilization is being consumed by
dllhost.exe.
I looked at the Application mappings within the MMC for IIS5 and saw that
the .plx extension is using 'D:\Perl\bin\PerlIS.dll'.
I changed it to 'D:\Perl\bin\Perl.exe "%s" %s' which is configured on their
local development server which works.
Well, their scripts just times out then fails with the Time out error
message.

Any ideas?
I checked the Perl configuration settings on both servers and they are
identical. URLScan's config seems fine.

Any help and ideas?

Dan
Top

Re: Help w/IIS5, CPU Utilization... & Active Perl... by GVaught

GVaught
Thu Sep 11 15:25:47 CDT 2003

When you use the IISLockdown tool it very likely locked down the ability to
execute the Perl Script. Check to make sure the folder where the script
files are located have Script/Execute permissions and not just script under
IIS; this is needed to execute Perl scripts under IIS, but I'm sure you know
that.

The PerlIsapi.dll is part of the ActivePerl package so whether you use the
Isapi reference or the Perl exe, I don't think it matters.

Also ensure they have all patches installed to the web server to ensure the
dllhost.exe has not been hijacked by the Nachi.worm or Blaster, which are
related.


"basura_" <basura_@hotmail.com> wrote in message
news:OOoZSxJeDHA.2756@TK2MSFTNGP11.phx.gbl...
> Hello all!
>
> I need help w/a client's server we host.
>
> After using the IISLockdown tool and configure URLScan all seem fine.
> However, the client has scripts on their sites that have the .plx
extension.
> Over a short time, [within a day] CPU utilization is being consumed by
> dllhost.exe.
> I looked at the Application mappings within the MMC for IIS5 and saw that
> the .plx extension is using 'D:\Perl\bin\PerlIS.dll'.
> I changed it to 'D:\Perl\bin\Perl.exe "%s" %s' which is configured on
their
> local development server which works.
> Well, their scripts just times out then fails with the Time out error
> message.
>
> Any ideas?
> I checked the Perl configuration settings on both servers and they are
> identical. URLScan's config seems fine.
>
> Any help and ideas?
>
> Dan
>
>


Top

Re: Help w/IIS5, CPU Utilization... & Active Perl... by basura_

basura_
Fri Sep 12 15:12:34 CDT 2003

Well, GVaught,

I have the permissions set to script/execute. And I verified that the
server and the file had not been compromised.
I double checked but it still does not work. Any other ideas are greatly
appreciated.
And thanks GVaught for your timely response.

Dan

"GVaught" <glvaught@hotmail.com> wrote in message
news:uNv6qLKeDHA.3576@tk2msftngp13.phx.gbl...
> When you use the IISLockdown tool it very likely locked down the ability
to
> execute the Perl Script. Check to make sure the folder where the script
> files are located have Script/Execute permissions and not just script
under
> IIS; this is needed to execute Perl scripts under IIS, but I'm sure you
know
> that.
>
> The PerlIsapi.dll is part of the ActivePerl package so whether you use the
> Isapi reference or the Perl exe, I don't think it matters.
>
> Also ensure they have all patches installed to the web server to ensure
the
> dllhost.exe has not been hijacked by the Nachi.worm or Blaster, which are
> related.
>
>
> "basura_" <basura_@hotmail.com> wrote in message
> news:OOoZSxJeDHA.2756@TK2MSFTNGP11.phx.gbl...
> > Hello all!
> >
> > I need help w/a client's server we host.
> >
> > After using the IISLockdown tool and configure URLScan all seem fine.
> > However, the client has scripts on their sites that have the .plx
> extension.
> > Over a short time, [within a day] CPU utilization is being consumed by
> > dllhost.exe.
> > I looked at the Application mappings within the MMC for IIS5 and saw
that
> > the .plx extension is using 'D:\Perl\bin\PerlIS.dll'.
> > I changed it to 'D:\Perl\bin\Perl.exe "%s" %s' which is configured on
> their
> > local development server which works.
> > Well, their scripts just times out then fails with the Time out error
> > message.
> >
> > Any ideas?
> > I checked the Perl configuration settings on both servers and they are
> > identical. URLScan's config seems fine.
> >
> > Any help and ideas?
> >
> > Dan
> >
> >
>
>


Top

Re: Help w/IIS5, CPU Utilization... & Active Perl... by basura_

basura_
Mon Sep 15 17:28:30 CDT 2003

Hello all, again!
We did some more t-shooting regarding the problem. We had IIS IISState &
Debug installed. Here is the copy of the log report. Could anyone decipher
it?
To re-cap, Its IIS5 on Win2K. CPU utilization reaches max with the culprit
being dllhost.exe. Suspect it's a Perl script [.plx extension] that's
mapped to 'D:\Perl\bin\PerlIS.dll'. When changed to 'D:\Perl\bin\Perl.exe
"%s" %', it scripst doesn't work at all, just times out.

Anyone have any suggestions please reply to group.

TIA!!

***********************
Starting new log output
IISState version 3.1

Fri Aug 29 13:45:53 2003

OS = Windows 2000
Executable: dllhost.exe
PID = 4948

Note: Thread times are formatted as HH:MM:SS.ms

***********************




Thread ID: 0
System Thread ID: 1720
Kernel Time: 0:0:0.31
User Time: 0:0:0.15
Thread Status: Thread is in a WAIT state.
Thread Type: Other
# ChildEBP RetAddr
00 0006fd28 77ea9b35 ntdll!NtWaitForSingleObject+0xb
01 0006fd50 77e8b32b KERNEL32!WaitForSingleObjectEx+0x71
02 0006fd60 77aaa473 KERNEL32!WaitForSingleObject+0xf
03 0006fd80 77aa9c81
ole32!CSurrogateProcessActivator::WaitForSurrogateTimeout+0x4f
04 0006fd9c 01001230 ole32!CoRegisterSurrogateEx+0x169
05 0006ff24 010014c6 dllhost!WinMain+0xb0
06 0006ffc0 77ea847c dllhost!WinMainCRTStartup+0x156
07 0006fff0 00000000 KERNEL32!BaseProcessStart+0x3d




Thread ID: 1
System Thread ID: a8c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 0090ff30 77abaf9f USER32!NtUserGetMessage+0xb
01 0090ff70 77abaeed ole32!CDllHost::STAWorkerLoop+0x40
02 0090ff8c 77abae28 ole32!CDllHost::WorkerThread+0xc2
03 0090ff90 77ab4710 ole32!DLLHostThreadEntry+0x9
04 0090ffa8 77ab4668 ole32!CRpcThread::WorkerLoop+0x22
05 0090ffb4 77e8b2d8 ole32!CRpcThreadCache::RpcWorkerThreadEntry+0x1a
06 0090ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 2
System Thread ID: 848
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 00a1fc6c 77e95244 ntdll!NtRemoveIoCompletion+0xb
01 00a1fc98 6de8b953 KERNEL32!GetQueuedCompletionStatus+0x27
02 00a1fd94 6de8b8a8 TxfAux!WORK_QUEUE::WorkerLoop+0x83
03 00a1ffb4 77e8b2d8 TxfAux!WORK_QUEUE::ThreadLoop+0x58
04 00a1ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 3
System Thread ID: 14c4
Kernel Time: 0:3:33.0
User Time: 0:3:17.734
*** WARNING: Unable to verify checksum for
*** ERROR: Symbol file could not be found. Defaulted to export symbols
or -
*** WARNING: Unable to verify checksum for
*** ERROR: Symbol file could not be found. Defaulted to export symbols
or -
Thread Type: ISAPI Extension
# ChildEBP RetAddr
00 00ade528 65d866db ntdll!NtOpenThreadToken+0xb
01 00ade548 65d8844a wam!DoRevertHack+0x21
02 00ade570 281a17b0 wam!WriteClient+0x155
WARNING: Stack unwind information not available. Following frames may be
wrong.
03 00ade590 281a2bed perlis+0x17b0
04 00ade5b0 281a22ea perlis+0x2bed
05 00ade5e4 2808778a perlis+0x22ea
06 00ade624 280899ee Perl58!Perl_PerlIO_write+0x21
07 00ade640 280892f4 Perl58!PerlIOBuf_set_ptrcnt+0x4d4
08 00ade65c 2808990e Perl58!PerlIOBuf_write+0x83
09 00ade680 2808778a Perl58!PerlIOBuf_set_ptrcnt+0x3f4
0a 00ade6b8 2803b6d4 Perl58!Perl_PerlIO_write+0x21
0b 00ade6e4 2805d706 Perl58!Perl_sv_compile_2op+0x37df
0c 00ade76c 281a2863 Perl58!Perl_runops_standard+0xc
0d 00ade79c 281a38d6 perlis+0x2863
0e 00adebc4 281a2fb2 perlis!GetExtensionVersion+0x880
0f 00adf728 65d82188 perlis!HttpExtensionProc+0x173
10 00adf73c 65d82119 wam!HSE_APPDLL::ExecuteRequest+0x93
11 00adf770 65d81af8 wam!WAM::InvokeExtension+0x35
12 00adf7b4 77d77f50 wam!WAM::ProcessRequest+0x240
13 00adf7dc 77d95ad7 RPCRT4!Invoke+0x30
14 00adfa54 77d8f77e RPCRT4!NdrStubCall2+0x655
15 00adfab8 77b22546 RPCRT4!CStdStubBuffer_Invoke+0xc8
16 00adfafc 77b22821 ole32!SyncStubInvoke+0x61
17 00adfb44 77ab6eb4 ole32!StubInvoke+0xa8
18 00adfba8 77aa9a01 ole32!CCtxComChnl::ContextInvoke+0xbb
19 00adfbc4 77b2242b ole32!MTAInvoke+0x18
1a 00adfbf4 77b22b56 ole32!AppInvoke+0xb5
1b 00adfcb4 77b20360 ole32!ComInvokeWithLockAndIPID+0x29e
1c 00adfcf4 77d52116 ole32!ThreadInvoke+0x1b7
1d 00adfd2c 77d37ee1 RPCRT4!DispatchToStubInC+0x32
1e 00adfd84 77d37db5 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x100
1f 00adfda4 77d38081 RPCRT4!RPC_INTERFACE::DispatchToStub+0x5e
20 00adfdd4 77d58b9a RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0xa9
21 00adfe10 77d5713a RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x1cd
22 00adfe28 77d57649 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x10c
23 00adff74 77d56d5e RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x229
24 00adff78 77d39a00 RPCRT4!RecvLotsaCallsWrapper+0x9
25 00adffa8 77d41c6d RPCRT4!BaseCachedThreadRoutine+0x4f
26 00adffb4 77e8b2d8 RPCRT4!ThreadStartRoutine+0x18
27 00adffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 4
System Thread ID: 18b4
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Idle ASP thread
# ChildEBP RetAddr
00 00cdff08 77ea9d00 ntdll!ZwWaitForMultipleObjects+0xb
01 00cdff58 77ea9c13 KERNEL32!WaitForMultipleObjectsEx+0xea
02 00cdff70 787f21d4 KERNEL32!WaitForMultipleObjects+0x17
03 00cdffb4 77e8b2d8 COMSVCS!CEventDispatcher::PushEvents+0x44
04 00cdffc0 00000008 KERNEL32!BaseThreadStart+0x52




Thread ID: 5
System Thread ID: 1240
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

Remote call is either to a MTA object or object not initialized. Also,
possible utility thread.
DCOM call being made to Process ID: 1824
Waiting on thread id: ffffffff

# ChildEBP RetAddr
00 00d1fb68 77d4ec37 ntdll!NtRequestWaitReplyPort+0xb
01 00d1fb94 77d3a2c7 RPCRT4!LRPC_CCALL::SendReceive+0x11e
02 00d1fba0 77b23b2a RPCRT4!I_RpcSendReceive+0x2c
03 00d1fbc0 77b239f5 ole32!ThreadSendReceive+0xef
04 00d1fbd8 77b20aa5 ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0x14a
05 00d1fc18 77b2386e ole32!CRpcChannelBuffer::SendReceive2+0x96
06 00d1fc28 77a6c78a ole32!CRpcChannelBuffer::SendReceive+0x11
07 00d1fc88 77ab6af6 ole32!CAptRpcChnl::SendReceive+0xa9
08 00d1fce0 77d90328 ole32!CCtxComChnl::SendReceive+0x124
09 00d1fcfc 77d92b3f RPCRT4!NdrProxySendReceive+0x4c
0a 00d1ff44 77d95f85 RPCRT4!NdrClientCall2+0x4f5
0b 00d1ff60 77d77f6b RPCRT4!ObjectStublessClient+0x76
0c 00d1ff70 787f212e RPCRT4!ObjectStubless+0xf
0d 00d1ffb4 77e8b2d8
COMSVCS!CEventDispatcher::GetEventServerInfoThread+0x10e
0e 00d1ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 6
System Thread ID: 116c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Idle ASP thread
# ChildEBP RetAddr
00 00d5fee4 77ea9d94 ntdll!NtDelayExecution+0xb
01 00d5ff04 77ea9d5f KERNEL32!SleepEx+0x32
02 00d5ff10 787cf77a KERNEL32!Sleep+0xb
03 00d5ff80 780060ce COMSVCS!PostData+0xf2
04 00d5ffb4 77e8b2d8 MSVCRT!_beginthreadex+0xca
05 00d5ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 7
System Thread ID: 151c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 00fdfe60 77ea9d00 ntdll!ZwWaitForMultipleObjects+0xb
01 00fdfeb0 77e1e97b KERNEL32!WaitForMultipleObjectsEx+0xea
02 00fdff0c 77e1e9c8 USER32!MsgWaitForMultipleObjectsEx+0x153
03 00fdff28 6e5abc1d USER32!MsgWaitForMultipleObjects+0x1d
04 00fdff80 780060ce IisRTL!SchedulerWorkerThread+0xa7
05 00fdffb4 77e8b2d8 MSVCRT!_beginthreadex+0xca
06 00fdffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 8
System Thread ID: 1778
Kernel Time: 0:0:2.453
User Time: 0:0:0.687
Thread Type: Other
# ChildEBP RetAddr
00 0094fe60 77ea9d00 ntdll!ZwWaitForMultipleObjects+0xb
01 0094feb0 77e1e97b KERNEL32!WaitForMultipleObjectsEx+0xea
02 0094ff0c 77e1e9c8 USER32!MsgWaitForMultipleObjectsEx+0x153
03 0094ff28 6e5abc1d USER32!MsgWaitForMultipleObjects+0x1d
04 0094ff80 780060ce IisRTL!SchedulerWorkerThread+0xa7
05 0094ffb4 77e8b2d8 MSVCRT!_beginthreadex+0xca
06 0094ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 9
System Thread ID: 1844
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 0104fe60 77ea9d00 ntdll!ZwWaitForMultipleObjects+0xb
01 0104feb0 77e1e97b KERNEL32!WaitForMultipleObjectsEx+0xea
02 0104ff0c 77e1e9c8 USER32!MsgWaitForMultipleObjectsEx+0x153
03 0104ff28 6e5abc1d USER32!MsgWaitForMultipleObjects+0x1d
04 0104ff80 780060ce IisRTL!SchedulerWorkerThread+0xa7
05 0104ffb4 77e8b2d8 MSVCRT!_beginthreadex+0xca
06 0104ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 10
System Thread ID: a20
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 0108fe60 77ea9d00 ntdll!ZwWaitForMultipleObjects+0xb
01 0108feb0 77e1e97b KERNEL32!WaitForMultipleObjectsEx+0xea
02 0108ff0c 77e1e9c8 USER32!MsgWaitForMultipleObjectsEx+0x153
03 0108ff28 6e5abc1d USER32!MsgWaitForMultipleObjects+0x1d
04 0108ff80 780060ce IisRTL!SchedulerWorkerThread+0xa7
05 0108ffb4 77e8b2d8 MSVCRT!_beginthreadex+0xca
06 0108ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 11
System Thread ID: 9ec
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: HTTP Listener
# ChildEBP RetAddr
00 011cff50 77e95244 ntdll!NtRemoveIoCompletion+0xb
01 011cff7c 6d7088db KERNEL32!GetQueuedCompletionStatus+0x27
02 011cffb4 77e8b2d8 ISATQ!AtqPoolThread+0x40
03 011cffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 12
System Thread ID: 130c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: HTTP Listener
# ChildEBP RetAddr
00 0120ff50 77e95244 ntdll!NtRemoveIoCompletion+0xb
01 0120ff7c 6d7088db KERNEL32!GetQueuedCompletionStatus+0x27
02 0120ffb4 77e8b2d8 ISATQ!AtqPoolThread+0x40
03 0120ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 13
System Thread ID: 15a8
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made
# ChildEBP RetAddr
00 0138feb8 77e95244 ntdll!NtRemoveIoCompletion+0xb
01 0138fee4 77d80976 KERNEL32!GetQueuedCompletionStatus+0x27
02 0138ff20 77d50e9e RPCRT4!COMMON_ProcessCalls+0x9e
03 0138ff74 77d50cd7 RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0x99
04 0138ff78 77d39a00 RPCRT4!ProcessIOEventsWrapper+0x9
05 0138ffa8 77d41c6d RPCRT4!BaseCachedThreadRoutine+0x4f
06 0138ffb4 77e8b2d8 RPCRT4!ThreadStartRoutine+0x18
07 0138ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 14
System Thread ID: 1740
Kernel Time: 0:2:40.343
User Time: 0:2:45.921
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

Remote call is either to a MTA object or object not initialized. Also,
possible utility thread.
DCOM call being made to Process ID: 2936
Waiting on thread id: ffffffff

# ChildEBP RetAddr
00 01aee130 77d4ec37 ntdll!NtRequestWaitReplyPort+0xb
01 01aee15c 77d3a2c7 RPCRT4!LRPC_CCALL::SendReceive+0x11e
02 01aee168 77b23b2a RPCRT4!I_RpcSendReceive+0x2c
03 01aee188 77b239f5 ole32!ThreadSendReceive+0xef
04 01aee1a0 77b20aa5 ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0x14a
05 01aee1e0 77b2386e ole32!CRpcChannelBuffer::SendReceive2+0x96
06 01aee1f0 77a6c78a ole32!CRpcChannelBuffer::SendReceive+0x11
07 01aee250 77ab6a6a ole32!CAptRpcChnl::SendReceive+0xa9
08 01aee2a8 77d90328 ole32!CCtxComChnl::SendReceive+0x98
09 01aee2c4 77d92b3f RPCRT4!NdrProxySendReceive+0x4c
0a 01aee50c 77d95f85 RPCRT4!NdrClientCall2+0x4f5
0b 01aee528 77d77f6b RPCRT4!ObjectStublessClient+0x76
0c 01aee538 65d88459 RPCRT4!ObjectStubless+0xf
0d 01aee570 281a17b0 wam!WriteClient+0x164
WARNING: Stack unwind information not available. Following frames may be
wrong.
0e 01aee590 281a2bed perlis+0x17b0
0f 01aee5b0 281a22ea perlis+0x2bed
10 01aee5e4 2808778a perlis+0x22ea
11 01aee624 280899ee Perl58!Perl_PerlIO_write+0x21
12 01aee640 280892f4 Perl58!PerlIOBuf_set_ptrcnt+0x4d4
13 01aee65c 2808990e Perl58!PerlIOBuf_write+0x83
14 01aee680 2808778a Perl58!PerlIOBuf_set_ptrcnt+0x3f4
15 01aee6b8 2803b6d4 Perl58!Perl_PerlIO_write+0x21
16 01aee6e4 2805d706 Perl58!Perl_sv_compile_2op+0x37df
17 01aee76c 281a2863 Perl58!Perl_runops_standard+0xc
18 01aee79c 281a38d6 perlis+0x2863
19 01aeebc4 281a2fb2 perlis!GetExtensionVersion+0x880
1a 01aef728 65d82188 perlis!HttpExtensionProc+0x173
1b 01aef73c 65d82119 wam!HSE_APPDLL::ExecuteRequest+0x93
1c 01aef770 65d81af8 wam!WAM::InvokeExtension+0x35
1d 01aef7b4 77d77f50 wam!WAM::ProcessRequest+0x240
1e 01aef7dc 77d95ad7 RPCRT4!Invoke+0x30
1f 01aefa54 77d8f77e RPCRT4!NdrStubCall2+0x655
20 01aefab8 77b22546 RPCRT4!CStdStubBuffer_Invoke+0xc8
21 01aefafc 77b22821 ole32!SyncStubInvoke+0x61
22 01aefb44 77ab6eb4 ole32!StubInvoke+0xa8
23 01aefba8 77aa9a01 ole32!CCtxComChnl::ContextInvoke+0xbb
24 01aefbc4 77b2242b ole32!MTAInvoke+0x18
25 01aefbf4 77b22b56 ole32!AppInvoke+0xb5
26 01aefcb4 77b20360 ole32!ComInvokeWithLockAndIPID+0x29e
27 01aefcf4 77d52116 ole32!ThreadInvoke+0x1b7
28 01aefd2c 77d37ee1 RPCRT4!DispatchToStubInC+0x32
29 01aefd84 77d37db5 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x100
2a 01aefda4 77d38081 RPCRT4!RPC_INTERFACE::DispatchToStub+0x5e
2b 01aefdd4 77d58b