OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: neilgeekshanty.com
Date: Thu Jul 19 2001 - 16:48:18 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I have seen some problems with NT4 servers running Exchange crashing when
    they encounter the Code Red Worm. These machines were all upgraded with the
    patch in the MS-33 ida/idq bulletin. While the worm wouldn't exploit the
    servers, it would bring down IIS4.

    The page returned contained an error message:
    <snip>
        This is the error page for errors found in .idq files
        A registry entry points to this page (where X is the current language):
    </snip>

    This was returned along with a registry key and some more detail why it
    failed. Out of all the servers, only the ones with Exchange exhibited these
    problems after being patched. I have confirmed these results with someone
    with a similar setup. The only way I could stop it was to unmap the ida/idq
    extensions from IIS4.

    Has anyone else seen similar behavior? Is this limited only to NT4/Exchange
    machines? I haven't been able to test it on an IIS5 machine to see. I'd
    advise anyone currently having these problems to unmap the ida/idq extensions.

    For dumps/more information just let me know.

    Neil

    On 07-19 (13:20), Jim Hribnak wrote:

    >
    > There appears to be a WIDE spread issue with IIS 4 and IIS 5 right now. The
    > services will automatically shut down when attacked. There is patches (old
    > Patches) that seem to fix the problem YET the patch says its for Microsoft
    > Index server (a lot of people are not running Index server, yet this patch
    > fixes the crashing problem.
    >
    > Upon further reading of the bulletin below it say
    >
    > "
    > Affected Software:
    >
    > a.. Microsoft Index Server 2.0
    > b.. Indexing Service in Windows 2000
    > "
    >
    > Most people will not install this if they are not running the software
    > listed above. The above should have also said IIS 4 and IIS 5 are affected.
    >
    > And it does if you read the technical section..
    >
    > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
    > bulletin/MS01-033.asp
    >
    > for IIS4 /NT4
    > http://www.microsoft.com/ntserver/nts/downloads/critical/q300972/default.asp
    >
    > for IIS5/Win2000
    > http://www.microsoft.com/windows2000/downloads/critical/q300972/default.asp
    >
    >
    >
    > ---------------------------------------
    > Jim Hribnak
    > Manager Communication Services
    > Nucleus Inc.
    > 403-209-0000
    >
    >