Hello, I know the moderators have said that the Code Red discussion is closed, but I just found out an interesting piece of info for those people whose IIS 4 servers have been crashing even though they have been patched against Code Red. According to Shared Knowlege Limited's support services (I found this by searching in Google Groups, so they might not have been the first to find this out) and confirmed by Eddie Bowers of MS IIS support who responded in the newsgroups, if your IIS4 website is using URL redirection, you are still vulnerable to Code Red even if you are patched. The reason is that when you set IIS to redirect URL's, it will accept any URL and send an 302 HTTP status code (Object Moved). The *.ida?NNNNN... overflow still causes IIS to crash. Here is an excerpt from their messages: ------------- If you having problems and have not applied the patch, it may not work. Too many people have been applying the patch to no avail. The solution is as follows: 1. Remove ALL redirected IIS websites and URL's from the server. 2. Apply the patches. 3. Reboot. The first point is the important one. Shared Knowledge have been investigating the issue now for some time and belive this the solution. If you are syill having any problems, please post back. Regards, Support Services Shared Knowledge Limited Advanced ASP Hosting www.sharedknowledge.net ------------------- and here is the confirmation from MS --------------- From: keifat_private (Keif Gwinn) >I don't think this is a suitable fix... the other way to defend against >Code Red is to remove all .ida script mappings from the webserver. >Almost no one uses them any more... >Keif Gwinn Actually removing the script mappings will not avoid all the problems if you are running IIS4. Removing the redirections is currently the best solution (this is in addtion to installing the fix or removing the script mappings) We are working on a real fix. Can't give an ETA yet. Eddie IIS Support -------------------- So basically, if you are using URL redirection, Code Red WILL crash your machine. The only fix for now is to remove all URL redirections. Shared Knowledge have a script available to list all URL redirections on an IIS server, it requires Perl to run. You can find it at http://www.sharedknowledge.net/codered/checkredirect.bat If you have been affected by this, please send your Dr. Watson logs and user.dmp files to Eddie Bowers at the following address eddiebat_private so they can issue a fix for the patch, as it seems that it is the Code Red patch that is causing this problem. Mod's, this is the first time I post to this list, so if I should have sent it to another one, I apologise. I am sure some people with patched servers which are crashing might find this helpful. Jean-Francois Prieur, Project Manager, BNP Paribas ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 12:21:04 PDT