Home Community Discussion Forums Most Active Software Boards LabVIEW Topic

LabVIEW

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Several Unknown NI Web Server Commands Cause Crash: Not Enough Memory to Complete Operation

Several Unknown NI Web Server Commands Cause Crash: Not Enough Memory to Complete Operation

‎01-04-2023 03:46 PM

Labels:

Hello, 

I am running a LabVIEW application (on an off-the-network PC, unable to access internet due to security concerns using an older operating system, Windows 7), which acquires large amounts of data and reports data to another PC (also off the network, Windows 7) via ethernet TCP/IP. This is then connected to a 3rd PC via ethernet (on the network, Windows 10), which moves data for automated analysis via IIS, FTP setup (yes, I know a lot of extra steps, but upgrading the OS's is not an option right now). Recently, several unknown NI WebServer Commands have been running, eventually causing the LabVIEW app to crash and an error message pop-up, which states: "Out of Memory. Not Enough Memory to Complete Operation".

Upon accessing Windows Event Viewer, I see several unknown NI WebServer commands running, attempting to access very obscure URL's, leading up to the crash. Upon searching for more info on the obscure URL's several links mention this may be some sort of exploit check, offensive security check, or potentially a virus.

The first URL that always shows at the beginning of this sequence is

dana-na/auth/url_default/welcome.cgi
it appears to be Offensive Security measures or a potential attempted exploit. When Googling the URL, several links reference a potential exploit method, so I'm wondering if this is a virus, or potentially the network PC scheduling security checks? Breaching the Trusted Perimeter and Automating… | Bishop Fox
spiffymcgee.cfm
is another obscure URL example, where search results mention a possible IIS exploit attempt Weird requests in IIS logs - possible exploit attempt? | [H]ard|Forum (hardforum.com)
None of the URL's actually exist in the directory mentioned in Event Viewer:  C:/program files/national instruments/shared/ni webserver/www/

I am trying to determine why these commands started running and how to prevent them from causing crash, while maintaining my current network setup. I'm wondering if this is caused by the 3rd on-the-network PC, running antivirus scans, sent to the IP of the connected off-the-network PC running LabVIEW? Any help on where these URL's are coming from, what they are, and how to stop them from causing a crash would be appreciated.

Attached is a Word document, showing some of the Windows Event Viewer Error, accessing obscure URL's in NI WebServer directory, leading up to crash.

0 Kudos
Message 1 of 2
(1,138 Views)
Reply