>> It can't be Code Red... Until that machine actually goes live,
>> port 80 is blocked to outside traffic
As far as blocking port 80 to outside, I am pretty sure that Code Red can be adapted
to hit any port, it just does 80 for obvious reasons. Also, I would wonder about
internal boxes that then in turn got to this box.
>> the Index Server service is disabled.
Doesn't matter. All that has to be there is the IDA.dll or whatever file it was that
eeye found the original vuln in. If the file is there, you can be hit. It is a
buffer overflow, so it doesn't depend on a service, just the mere existence of a file.
>> Not patched (not my choice, people higher up make decisions
>> I can't argue with)
Been there done that. I quickly left and went to a place that cared.
>> I ran three all-files virus checks, on top of the on-access
>> scan, since having this problem
I am puzzled by this statement. I don't believe that there is anything to "find" for
the worm except for maybe some registry entries. The first changed your webpage and I
could see something catching that, but not an anti-virus. The third put a root.exe
and maybe the anti-virus companies are looking for that now. However, I would rely on
anti-virus to protect me from a Worm. You shut the door.
>> I've rebooted twice (which should have taken care of
>> Code Red if it had been an issue)
No, only if you run the patch and then reboot.
>> I've also ran the Code Red scanner, all to no avail.
Don't know which one here, but most of then simply check if you are vulnerable, not if
you are already hit.
You are asking for help here and the best advice that I think any of us could give you
is to first get up to date. Even if we are wrong and it isn't Code Red, there is
still a real good chance that the SPs and HFs could help here. If I had to guess if
you called PSS, that is where they would take you first also.
BTW, if you are running this on Compaq hardware, tell me. There is a bluescreen
gotcha on some of the platforms.
JayW
>>> [EMAIL PROTECTED] 08/20/01 03:24PM >>>
It can't be Code Red... Until that machine actually goes live, port 80 is
blocked to outside traffic (and I am toying with the idea of not using port
80 when it goes live anyways), besides the Index Server service is disabled.
Not patched (not my choice, people higher up make decisions I can't argue
with) doesn't mean totally abandonned. I update the McAfee virus scan
definition list whenever a new comes out, I have GroupShield running on
Exchange (updated just as lovingly), I ran three all-files virus checks, on
top of the on-access scan, since having this problem, I've rebooted twice
(which should have taken care of Code Red if it had been an issue) and I've
also ran the Code Red scanner, all to no avail.
Eric Peeters
Network Administrator
TexLoc Ltd
-----Original Message-----
From: Kevin Lundy [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 3:06 PM
To: NT System Admin Issues
Subject: RE: IIS stopping without reason
The "no patch" is the clue. My betting money is on Code Red - you have
heard the news the past month?
-----Original Message-----
From: Eric Peeters [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 4:09 PM
To: NT System Admin Issues
Subject: IIS stopping without reason
Hello,
My IIS4 server has been behaving strangely for the past four days. It is not
a mission-critical unit (yet) as it runs only the users' default home page
when they start IE though it was supposed to go live in a week as the IIS
for OWA. On to the problem...
All IIS services (NNTP, FTP, HTTP) are stopped. I click on one of them at
random and hit Start. Nothing happens. I click Start again after a few
seconds. The service in question will start and function normally, however
anywhere from 5 to 15 minutes later, it'll stop again. There is no message
in the log file other than a notice in the Security log that the IIS account
logged in and out at start/stop.
Besides IIS, that box is running Win NT 4 SP6a Server (no patch) and
Exchange 5.5 SP1 (no patch) and it acts as the BDC.
I've roamed through the Microsoft KB (not easy, what keywords do you use to
describe this when there's no message in the log) to no avail. Anyone out
there with a suggestion ?
Eric Peeters
Network Administrator
TexLoc Ltd
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
