Re: Microsoft IIS problems (Current)

From: neilat_private
Date: Thu Jul 19 2001 - 14:48:18 PDT

Next message: Ethan Butterfield: "Re: 'Code Red' does not seem to be scanning for IIS"

Previous message: Mike Brockman: "'Code Red' does not seem to be scanning for IIS"
In reply to: Jim Hribnak: "Microsoft IIS problems (Current)"
Next in thread: Rich Ostergard: "RE: Microsoft IIS problems (Current)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have seen some problems with NT4 servers running Exchange crashing when
they encounter the Code Red Worm.  These machines were all upgraded with the
patch in the MS-33 ida/idq bulletin.  While the worm wouldn't exploit the
servers, it would bring down IIS4.  

The page returned contained an error message:
<snip>
    This is the error page for errors found in .idq files
    A registry entry points to this page (where X is the current language):
</snip>

This was returned along with a registry key and some more detail why it
failed.  Out of all the servers, only the ones with Exchange exhibited these
problems after being patched.  I have confirmed these results with someone
with a similar setup.  The only way I could stop it was to unmap the ida/idq
extensions from IIS4.

Has anyone else seen similar behavior?  Is this limited only to NT4/Exchange
machines?  I haven't been able to test it on an IIS5 machine to see.  I'd
advise anyone currently having these problems to unmap the ida/idq extensions.

For dumps/more information just let me know.

Neil

On 07-19 (13:20), Jim Hribnak wrote:

> 
> There appears to be a WIDE spread issue with IIS 4 and IIS 5 right now.  The
> services will automatically shut down when attacked.  There is patches (old
> Patches) that seem to fix the problem YET the patch says its for Microsoft
> Index server (a lot of people are not running Index server, yet this patch
> fixes the crashing problem.
> 
> Upon further reading of the bulletin below it say
> 
> "
> Affected Software:
> 
>   a.. Microsoft Index Server 2.0
>   b.. Indexing Service in Windows 2000
> "
> 
> Most people will not install this if they are not running the software
> listed above.  The above should have also said IIS 4 and IIS 5 are affected.
> 
> And it does if you read the technical section..
> 
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/MS01-033.asp
> 
> for IIS4 /NT4
> http://www.microsoft.com/ntserver/nts/downloads/critical/q300972/default.asp
> 
> for IIS5/Win2000
> http://www.microsoft.com/windows2000/downloads/critical/q300972/default.asp
> 
> 
> 
> ---------------------------------------
> Jim Hribnak
> Manager Communication Services
> Nucleus Inc.
> 403-209-0000
> 
>

Next message: Ethan Butterfield: "Re: 'Code Red' does not seem to be scanning for IIS"
Previous message: Mike Brockman: "'Code Red' does not seem to be scanning for IIS"
In reply to: Jim Hribnak: "Microsoft IIS problems (Current)"
Next in thread: Rich Ostergard: "RE: Microsoft IIS problems (Current)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 15:12:56 PDT