Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Date: Thu Jul 19 2001 - 16:48:18 CDT
I have seen some problems with NT4 servers running Exchange crashing when
they encounter the Code Red Worm. These machines were all upgraded with the
patch in the MS-33 ida/idq bulletin. While the worm wouldn't exploit the
servers, it would bring down IIS4.
The page returned contained an error message:
This is the error page for errors found in .idq files
A registry entry points to this page (where X is the current language):
This was returned along with a registry key and some more detail why it
failed. Out of all the servers, only the ones with Exchange exhibited these
problems after being patched. I have confirmed these results with someone
with a similar setup. The only way I could stop it was to unmap the ida/idq
extensions from IIS4.
Has anyone else seen similar behavior? Is this limited only to NT4/Exchange
machines? I haven't been able to test it on an IIS5 machine to see. I'd
advise anyone currently having these problems to unmap the ida/idq extensions.
For dumps/more information just let me know.
On 07-19 (13:20), Jim Hribnak wrote:
> There appears to be a WIDE spread issue with IIS 4 and IIS 5 right now. The
> services will automatically shut down when attacked. There is patches (old
> Patches) that seem to fix the problem YET the patch says its for Microsoft
> Index server (a lot of people are not running Index server, yet this patch
> fixes the crashing problem.
> Upon further reading of the bulletin below it say
> Affected Software:
> a.. Microsoft Index Server 2.0
> b.. Indexing Service in Windows 2000
> Most people will not install this if they are not running the software
> listed above. The above should have also said IIS 4 and IIS 5 are affected.
> And it does if you read the technical section..
> for IIS4 /NT4
> for IIS5/Win2000
> Jim Hribnak
> Manager Communication Services
> Nucleus Inc.