1

I have a really strange issue on IIS, where any URLs containing certain keywords (e.g., card, bet, loan, jewelry) return a blank page. It's a 200 response with IIS headers in-tact, but the response body is empty.

This applies to all sites on the server, and I've tried setting up a small test site with two files: index.html and card.html - index works fine, but card does exactly the same thing as above. So it's not an application issue.

The request is logged by IIS, and claims to be returning a non-0 number of bytes. If I set up a custom response header that gets through just fine. This happens if I visit the site directly on the server, too. So there doesn't seem to be a firewall blocking it. Something is just deleting the response body.

I've set up Failed Request Tracing - I don't know exactly what I'm looking for in there but I can't see any obvious errors.

There are no custom IIS modules (all under %windir% or the System namespace). There are no Request Filtering rules (other than the standard disallowed list of file extensions and .NET hidden segments).

I'm completely stumped! If anyone has come across anything similar, or knows of any programs which might do this, or has any idea of what to try next, I would love to hear!

piemanji
  • 21
  • 4
  • have you tried other browsers? perhaps it's the browser that is failing – Jaromanda X May 11 '23 at 09:28
  • Thanks. Yes I've tried Chrome and Firefox, on the server and on my machine, and also tested with Postman and get the same issue – piemanji May 11 '23 at 09:30
  • `claims to be returning a non-0 number of byte` so, you've confirmed that a client gets zero bytes? any headers at all in the response? is there anything "between" IIS and the clients? (some sort of caching proxy for example) – Jaromanda X May 11 '23 at 09:35
  • Yes client gets 0 bytes, but does receive server headers. In my minimal example with the HTML files I added a custom header and that was returned. I'm assuming there *is* something between IIS and the client, but I'm struggling to see where this is. I think it must be on the server as otherwise I wouldn't be seeing the issue when browsing the site on the server itself (the host is pointing at 127.0.0.1 in the hosts file). – piemanji May 11 '23 at 09:57
  • is there a content-length header? – Jaromanda X May 11 '23 at 10:02
  • Yes, the response has a content-length header value of 0 – piemanji May 11 '23 at 10:08
  • I can't recall what IIS logs show, perhaps the length you see is the headers – Jaromanda X May 11 '23 at 10:22
  • That's true. So that means it could be some module within IIS causing the issue, rather than an external application/service. – piemanji May 11 '23 at 10:32
  • I've just confirmed, the sc-bytes value is equal to the size Postman gives for the response - suggesting that IIS is not returning the response body. Could Failed Request Tracing be used to figure out where the response is being altered? – piemanji May 11 '23 at 10:34
  • @JaromandaX I was able to find the offending module, called HTTPCacheLog, which was actually some malware that had been installed despite the innocuous name. Thanks so much for your help debugging this. – piemanji May 11 '23 at 10:50
  • Does this answer your question? [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Greg Askew May 30 '23 at 10:24

1 Answers1

1

The issue turned out to be a piece of malware which had installed itself as an IIS module named HTTPCacheLog. I removed the module (and deleted the DLL in the inetsrv folder) and everything is working again now.

piemanji
  • 21
  • 4
  • Unfortunately seeing one piece of malware on a machine is usually an indicator of being hacked and more pieces are there (or will be there). So, removing this piece alone does not really bring the server back to healthy. Please hire a security professional to show you what's the right approach. – Lex Li May 14 '23 at 07:17
  • @LexLi Thank you for your concern :) I have taken appropriate steps to deal with the wider issue. I think this still answers the original question as to why IIS was returning a blank 200 response for certain keywords, and hopefully will help others narrow it down more quickly than I was able to. – piemanji May 16 '23 at 08:27