yes i noticed that as well
-----Original Message-----
From: admin [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 19, 2001 6:04 PM
To: CF-Talk
Subject: Re: IIS 4 Stopping Unexpectedly: I KNOW WHAT THE PROBLEM IS!!!
what is also strange is that after the initial ISAPI attack it's followed by
15 hits to UDP port 1296.
Anyone konw what this port is for - or why the worm is searcing there ?
Richard
Y2K Internet Technologies
----- Original Message -----
From: "Kelly Matthews" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Thursday, July 19, 2001 2:32 PM
Subject: IIS 4 Stopping Unexpectedly: I KNOW WHAT THE PROBLEM IS!!!
> Ok folks I know what's goin on. It happened to me all day. I use
> black ice on my server. At first every time i was getting hit
> it was being recorded at an HTTP OVERFLOW and shutting my web service
> down. I updated black ice and it now records it as an ISAPI
> index extension overflow. My updated version of Black Ice ($39.95) now
> blocks it and it now longer shuts my web service down. They must
> have JUST updated today. I have a feeling someone found a hole today
> and broadcast it across the internet. It started here around noon.
> So if you have black ice get the update. If you don't buy black ice
> until microsoft comes out with an IIS fix. Here is a page explaining
> the attack:
> http://advice.networkice.com/advice/Intrusions/2002608/default.htm
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 19, 2001 4:50 PM
> To: CF-Talk
> Subject: Re: IIS 4 Stopping Unexpectedly
>
>
> Add me to the list. I got a call this afternoon from an old client,
> complaining that the web server keeps going down and they need to reboot
to
> get things running again. I've inspected the machine and nothing appears
to
> wrong ... except that periodically IIS 4 service stops.
>
> My question is ... how does one check to verify the existence of this worm
> ... I think IIS stopping on it's own is a pretty good clue.
>
> But, if I now have the worm how do I get rid of it? Leon, you mention
> installing the patch and rebooting a couple of times ... but isn't the
patch
>
> to keep you from getting the worm? Not to remove it once you get it?
>
> Any help in removing this thing would be greatly appreciated!
>
> Thanks,
> Bill
>
> In a message dated 7/19/01 4:18:55 PM Eastern Daylight Time,
> [EMAIL PROTECTED] writes:
>
>
> > Hi all,
> >
> > Looks like we have the same problems on 4 of our win NT 4 machines
> >
> > Upon trying to shut down we got an error that would not allow shut down
> > on our win nt4 machine.
> >
> > OLE threadworm from what i hear.
> >
> > We have applied the patch on the first and are rebooting at the momnent
> >
> > 3 more to go after that.
> >
> > Hopefully this will fix the problem.
> >
> > Any one else want to share experiences on this worm.
> >
> > does it affect win2k servers?
> >
> > Cheers
> >
> > D
> >
> > Daryl Fullerton,
> > Managing Partner,
> > BizNet Solutions,
> > Allaire Premier Partner (Ireland)
> > 133 - 137 Lisburn Road
> > Belfast
> > BT9 7AG
> > N.Ireland
> >
> > Direct +44 (0) 28 9022 7888
> > Tel +44 (0) 028 9022 3224
> > Fax +44 (0) 028 9022 3223
> >
> >
> > [EMAIL PROTECTED]
> > Http://www.BizNet-Solutions.com
> >
> > [EMAIL PROTECTED] (Chairman)
> > Http://www.cfug.ie The Irish Cold Fusion User Group
> >
> >
> > -----Original Message-----
> > From: Tim Painter [mailto:[EMAIL PROTECTED]]
> > Sent: 19 July 2001 19:04
> > To: [EMAIL PROTECTED]
> > Subject: Re: IIS 4 Stopping Unexpectedly
> >
> >
> > Thanks -- that's what I was afraid of.
> >
> > We have 3 servers it is happening on right now, and
> > We had the patch installed, but are manually removing the ida and idq
> > entries.
> >
> > Thanks!
> > Tim P.
> >
> >
> > ----- Original Message -----
> > From: "Leon Oosterwijk" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Thursday, July 19, 2001 1:45 PM
> > Subject: RE: IIS 4 Stopping Unexpectedly
> >
> >
> > Tim,
> >
> > I could not on my first round of investigations find anything unusual.
> > The
> > inbound/outbound traffic on the machine did not jump significantly. the
> > Processor did not see any big jumps of activity, memory levels, all
> > normal.
> > There was a large amount of TCP/IP sockets open, but that seemed normal
> > due
> > to the volume of websites hosted. In other words, No. :(
> >
> > Leon
> >
> >
> > -----Original Message-----
> > From: Tim Painter [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, July 19, 2001 12:38 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: IIS 4 Stopping Unexpectedly
> >
> >
> > Leon,
> > We are running into something like this right now. Is there any way to
> > tell
> > if in fact that is what is happening on the machine?
> >
> > Tim P.
> > ----- Original Message -----
> > From: "Leon Oosterwijk" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Thursday, July 19, 2001 1:29 PM
> > Subject: RE: IIS 4 Stopping Unexpectedly
> >
> >
> > I've noticed this on our IIS4 machine. I installed the latest microsoft
> > patch:
> > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
> > ity/
> > bulletin/MS01-033.asp
> >
> > This seems to have fixed it. (After repeated reboots)
> >
> > You might want to download and install the similar patch for your IIS
> > System. This patch seems to prevent the "Code Red" worm or other
> > exploits
> > from harming your system. The behavious that I experienced in not
> > consistent
> > with the "Code Red" worm, but it is possible that there are other worms
> > out
> > there making use of the same security hole.
> >
> > I realize that this message might be off-post, but any feedback people
> > have
> > on this would be welcome on: [EMAIL PROTECTED]
> >
> > Regards,
> > Leon Oosterwijk
> > ISDN-NET Inc.
> > www.isdn.net
> >
> >
> > -----Original Message-----
> > From: Troy Allen [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, July 19, 2001 12:11 PM
> > To: [EMAIL PROTECTED]
> > Subject: IIS 4 Stopping Unexpectedly
> >
> >
> > I have IIS 4 running on NT 4 SP 6a. It is a dual Pentium III
> > 800 MHz server with a Gig of RAM. I have installed all of
> > the latest IIS patches.
> >
> > Starting yesterday, the IIS stopped running all on its own.
> > When there is ANY kind of unexpected service stoppage (Dr
> > Watson, etc.) on this server, I get an email from the Compaq
> > Insight Monitors. But that is not happening. It is as if
> > someone is actually stopping the inetinfo process in the
> > Services control panel. I am watching the server when it
> > happens, and no one is logging into the server when it
> > happens.
> >
> > The stoppage frequency has steadily increased from hours
> > apart to mere seconds.
> >
> > Anyone seen this before? I have searched all over the net,
> > including BugTraq, MS, Allaire, and all the major search
> > engines to no avail. I am running a complete Virus scan, but
> > it has not found anything.
> >
> > Any ideas would be greatly appreciated.
> >
> > Troy
> >
> > --
> > "What Boots Up, Must Come Down."
> >
> > ____________________
> >
> > Troy L. Allen, Sr.
> > Chief Technology Officer
> > The MAXXIS Group, Inc.
> > ____________________
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
