what is also strange is that after the initial ISAPI attack it's followed by
15 hits to UDP port 1296.
Anyone konw what this port is for - or why the worm is searcing there ?
Richard
Y2K Internet Technologies
----- Original Message -----
From: "Kelly Matthews" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Thursday, July 19, 2001 2:32 PM
Subject: IIS 4 Stopping Unexpectedly: I KNOW WHAT THE PROBLEM IS!!!
> Ok folks I know what's goin on. It happened to me all day. I use
> black ice on my server. At first every time i was getting hit
> it was being recorded at an HTTP OVERFLOW and shutting my web service
> down. I updated black ice and it now records it as an ISAPI
> index extension overflow. My updated version of Black Ice ($39.95) now
> blocks it and it now longer shuts my web service down. They must
> have JUST updated today. I have a feeling someone found a hole today
> and broadcast it across the internet. It started here around noon.
> So if you have black ice get the update. If you don't buy black ice
> until microsoft comes out with an IIS fix. Here is a page explaining
> the attack:
> http://advice.networkice.com/advice/Intrusions/2002608/default.htm
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 19, 2001 4:50 PM
> To: CF-Talk
> Subject: Re: IIS 4 Stopping Unexpectedly
>
>
> Add me to the list. I got a call this afternoon from an old client,
> complaining that the web server keeps going down and they need to reboot
to
> get things running again. I've inspected the machine and nothing appears
to
> wrong ... except that periodically IIS 4 service stops.
>
> My question is ... how does one check to verify the existence of this worm
> ... I think IIS stopping on it's own is a pretty good clue.
>
> But, if I now have the worm how do I get rid of it? Leon, you mention
> installing the patch and rebooting a couple of times ... but isn't the
patch
>
> to keep you from getting the worm? Not to remove it once you get it?
>
> Any help in removing this thing would be greatly appreciated!
>
> Thanks,
> Bill
>
> In a message dated 7/19/01 4:18:55 PM Eastern Daylight Time,
> [EMAIL PROTECTED] writes:
>
>
> > Hi all,
> >
> > Looks like we have the same problems on 4 of our win NT 4 machines
> >
> > Upon trying to shut down we got an error that would not allow shut down
> > on our win nt4 machine.
> >
> > OLE threadworm from what i hear.
> >
> > We have applied the patch on the first and are rebooting at the momnent
> >
> > 3 more to go after that.
> >
> > Hopefully this will fix the problem.
> >
> > Any one else want to share experiences on this worm.
> >
> > does it affect win2k servers?
> >
> > Cheers
> >
> > D
> >
> > Daryl Fullerton,
> > Managing Partner,
> > BizNet Solutions,
> > Allaire Premier Partner (Ireland)
> > 133 - 137 Lisburn Road
> > Belfast
> > BT9 7AG
> > N.Ireland
> >
> > Direct +44 (0) 28 9022 7888
> > Tel +44 (0) 028 9022 3224
> > Fax +44 (0) 028 9022 3223
> >
> >
> > [EMAIL PROTECTED]
> > Http://www.BizNet-Solutions.com
> >
> > [EMAIL PROTECTED] (Chairman)
> > Http://www.cfug.ie The Irish Cold Fusion User Group
> >
> >
> > -----Original Message-----
> > From: Tim Painter [mailto:[EMAIL PROTECTED]]
> > Sent: 19 July 2001 19:04
> > To: [EMAIL PROTECTED]
> > Subject: Re: IIS 4 Stopping Unexpectedly
> >
> >
> > Thanks -- that's what I was afraid of.
> >
> > We have 3 servers it is happening on right now, and
> > We had the patch installed, but are manually removing the ida and idq
> > entries.
> >
> > Thanks!
> > Tim P.
> >
> >
> > ----- Original Message -----
> > From: "Leon Oosterwijk" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Thursday, July 19, 2001 1:45 PM
> > Subject: RE: IIS 4 Stopping Unexpectedly
> >
> >
> > Tim,
> >
> > I could not on my first round of investigations find anything unusual.
> > The
> > inbound/outbound traffic on the machine did not jump significantly. the
> > Processor did not see any big jumps of activity, memory levels, all
> > normal.
> > There was a large amount of TCP/IP sockets open, but that seemed normal
> > due
> > to the volume of websites hosted. In other words, No. :(
> >
> > Leon
> >
> >
> > -----Original Message-----
> > From: Tim Painter [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, July 19, 2001 12:38 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: IIS 4 Stopping Unexpectedly
> >
> >
> > Leon,
> > We are running into something like this right now. Is there any way to
> > tell
> > if in fact that is what is happening on the machine?
> >
> > Tim P.
> > ----- Original Message -----
> > From: "Leon Oosterwijk" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Thursday, July 19, 2001 1:29 PM
> > Subject: RE: IIS 4 Stopping Unexpectedly
> >
> >
> > I've noticed this on our IIS4 machine. I installed the latest microsoft
> > patch:
> > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> > ity/
> > bulletin/MS01-033.asp
> >
> > This seems to have fixed it. (After repeated reboots)
> >
> > You might want to download and install the similar patch for your IIS
> > System. This patch seems to prevent the "Code Red" worm or other
> > exploits
> > from harming your system. The behavious that I experienced in not
> > consistent
> > with the "Code Red" worm, but it is possible that there are other worms
> > out
> > there making use of the same security hole.
> >
> > I realize that this message might be off-post, but any feedback people
> > have
> > on this would be welcome on: [EMAIL PROTECTED]
> >
> > Regards,
> > Leon Oosterwijk
> > ISDN-NET Inc.
> > www.isdn.net
> >
> >
> > -----Original Message-----
> > From: Troy Allen [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, July 19, 2001 12:11 PM
> > To: [EMAIL PROTECTED]
> > Subject: IIS 4 Stopping Unexpectedly
> >
> >
> > I have IIS 4 running on NT 4 SP 6a. It is a dual Pentium III
> > 800 MHz server with a Gig of RAM. I have installed all of
> > the latest IIS patches.
> >
> > Starting yesterday, the IIS stopped running all on its own.
> > When there is ANY kind of unexpected service stoppage (Dr
> > Watson, etc.) on this server, I get an email from the Compaq
> > Insight Monitors. But that is not happening. It is as if
> > someone is actually stopping the inetinfo process in the
> > Services control panel. I am watching the server when it
> > happens, and no one is logging into the server when it
> > happens.
> >
> > The stoppage frequency has steadily increased from hours
> > apart to mere seconds.
> >
> > Anyone seen this before? I have searched all over the net,
> > including BugTraq, MS, Allaire, and all the major search
> > engines to no avail. I am running a complete Virus scan, but
> > it has not found anything.
> >
> > Any ideas would be greatly appreciated.
> >
> > Troy
> >
> > --
> > "What Boots Up, Must Come Down."
> >
> > ____________________
> >
> > Troy L. Allen, Sr.
> > Chief Technology Officer
> > The MAXXIS Group, Inc.
> > ____________________
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
