Wednesday, March 9, 2022

Malicious Software found targeting IIS Modules (cachcookie.dll and anon_auth.dll)

Recently I had a case were several servers had the dlls loaded in IIS that resembled names that sounded like IIS modules but were proven to be nonstandard modules. cachcookie.dll and anon_auth.dll were detected by the customer as malicious and thus removed by their antivirus software. 


The problem is if they are deleted without removing the references in IIS when it tries to start the W3WP.exe, it will fail because module not found.





Here is an example of how to then remove the module reference using PowerShell.


Remove-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.webServer/globalModules" -name "." -AtElement @{name='CookieCacheModule'}

Remove-WebConfigurationProperty  -pspath 'MACHINE/WEBROOT/APPHOST'  -filter "system.webServer/modules" -name "." -AtElement @{name='CookieCacheModule'}


With these two along with stopping/starting IIS and checking of the presence of the file we were able to streamline the process of fixing the issue.


Within the example you may change the "name='CookieCacheModule'" to match the module you are targeting for removal.


Once removed the W3WP.EXE was started and begin to process requests as expected.


Posted at