[21671] in bugtraq
Re: Microsoft IIS problems (Current)
daemon@ATHENA.MIT.EDU (neil@geekshanty.com)
Thu Jul 19 18:17:21 2001
From: neil@geekshanty.com
Date: Thu, 19 Jul 2001 16:48:18 -0500
To: BUGTRAQ@securityfocus.com
Cc: Jim Hribnak <hribnak@nucleus.com>
Message-ID: <20010719164818.A18382@geekshanty.com>
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM,
Jim Hribnak <hribnak@nucleus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <08a601c11087$d01e7190$035d22cf@Jim>; from hribnak@nucleus.com on Thu, Jul 19, 2001 at 01:20:03PM -0600
I have seen some problems with NT4 servers running Exchange crashing when
they encounter the Code Red Worm. These machines were all upgraded with the
patch in the MS-33 ida/idq bulletin. While the worm wouldn't exploit the
servers, it would bring down IIS4.
The page returned contained an error message:
<snip>
This is the error page for errors found in .idq files
A registry entry points to this page (where X is the current language):
</snip>
This was returned along with a registry key and some more detail why it
failed. Out of all the servers, only the ones with Exchange exhibited these
problems after being patched. I have confirmed these results with someone
with a similar setup. The only way I could stop it was to unmap the ida/idq
extensions from IIS4.
Has anyone else seen similar behavior? Is this limited only to NT4/Exchange
machines? I haven't been able to test it on an IIS5 machine to see. I'd
advise anyone currently having these problems to unmap the ida/idq extensions.
For dumps/more information just let me know.
Neil
On 07-19 (13:20), Jim Hribnak wrote:
>
> There appears to be a WIDE spread issue with IIS 4 and IIS 5 right now. The
> services will automatically shut down when attacked. There is patches (old
> Patches) that seem to fix the problem YET the patch says its for Microsoft
> Index server (a lot of people are not running Index server, yet this patch
> fixes the crashing problem.
>
> Upon further reading of the bulletin below it say
>
> "
> Affected Software:
>
> a.. Microsoft Index Server 2.0
> b.. Indexing Service in Windows 2000
> "
>
> Most people will not install this if they are not running the software
> listed above. The above should have also said IIS 4 and IIS 5 are affected.
>
> And it does if you read the technical section..
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> bulletin/MS01-033.asp
>
> for IIS4 /NT4
> http://www.microsoft.com/ntserver/nts/downloads/critical/q300972/default.asp
>
> for IIS5/Win2000
> http://www.microsoft.com/windows2000/downloads/critical/q300972/default.asp
>
>
>
> ---------------------------------------
> Jim Hribnak
> Manager Communication Services
> Nucleus Inc.
> 403-209-0000
>
>
