I have seen some problems with NT4 servers running Exchange crashing when they encounter the Code Red Worm. These machines were all upgraded with the patch in the MS-33 ida/idq bulletin. While the worm wouldn't exploit the servers, it would bring down IIS4. The page returned contained an error message: <snip> This is the error page for errors found in .idq files A registry entry points to this page (where X is the current language): </snip> This was returned along with a registry key and some more detail why it failed. Out of all the servers, only the ones with Exchange exhibited these problems after being patched. I have confirmed these results with someone with a similar setup. The only way I could stop it was to unmap the ida/idq extensions from IIS4. Has anyone else seen similar behavior? Is this limited only to NT4/Exchange machines? I haven't been able to test it on an IIS5 machine to see. I'd advise anyone currently having these problems to unmap the ida/idq extensions. For dumps/more information just let me know. Neil On 07-19 (13:20), Jim Hribnak wrote: > > There appears to be a WIDE spread issue with IIS 4 and IIS 5 right now. The > services will automatically shut down when attacked. There is patches (old > Patches) that seem to fix the problem YET the patch says its for Microsoft > Index server (a lot of people are not running Index server, yet this patch > fixes the crashing problem. > > Upon further reading of the bulletin below it say > > " > Affected Software: > > a.. Microsoft Index Server 2.0 > b.. Indexing Service in Windows 2000 > " > > Most people will not install this if they are not running the software > listed above. The above should have also said IIS 4 and IIS 5 are affected. > > And it does if you read the technical section.. > > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ > bulletin/MS01-033.asp > > for IIS4 /NT4 > http://www.microsoft.com/ntserver/nts/downloads/critical/q300972/default.asp > > for IIS5/Win2000 > http://www.microsoft.com/windows2000/downloads/critical/q300972/default.asp > > > > --------------------------------------- > Jim Hribnak > Manager Communication Services > Nucleus Inc. > 403-209-0000 > >
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 15:12:56 PDT