Code red doesn't scan other ports besides port 80. However this would be
theorectically possible, but this would make no sense. The virus would
have to scan thousands of ports for every IP address, and the chances of
finding a web server on a port other than port 80 would be very slim.
The virus would be wasting time. The virus would only have to scan port
80 to infect %99 percent of the servers it encounters. I am sure Code
red could be adapted, but I don't think anybody would for obvious
reasons.
-----Original Message-----
From: Jay Woody [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 4:22 PM
To: NT System Admin Issues
Subject: RE: IIS stopping without reason
>> It can't be Code Red... Until that machine actually goes live,
>> port 80 is blocked to outside traffic
As far as blocking port 80 to outside, I am pretty sure that Code Red
can be adapted to hit any port, it just does 80 for obvious reasons.
Also, I would wonder about internal boxes that then in turn got to this
box.
>> the Index Server service is disabled.
Doesn't matter. All that has to be there is the IDA.dll or whatever
file it was that eeye found the original vuln in. If the file is there,
you can be hit. It is a buffer overflow, so it doesn't depend on a
service, just the mere existence of a file.
>> Not patched (not my choice, people higher up make decisions
>> I can't argue with)
Been there done that. I quickly left and went to a place that cared.
>> I ran three all-files virus checks, on top of the on-access
>> scan, since having this problem
I am puzzled by this statement. I don't believe that there is anything
to "find" for the worm except for maybe some registry entries. The
first changed your webpage and I could see something catching that, but
not an anti-virus. The third put a root.exe and maybe the anti-virus
companies are looking for that now. However, I would rely on anti-virus
to protect me from a Worm. You shut the door.
>> I've rebooted twice (which should have taken care of
>> Code Red if it had been an issue)
No, only if you run the patch and then reboot.
>> I've also ran the Code Red scanner, all to no avail.
Don't know which one here, but most of then simply check if you are
vulnerable, not if you are already hit.
You are asking for help here and the best advice that I think any of us
could give you is to first get up to date. Even if we are wrong and it
isn't Code Red, there is still a real good chance that the SPs and HFs
could help here. If I had to guess if you called PSS, that is where
they would take you first also.
BTW, if you are running this on Compaq hardware, tell me. There is a
bluescreen gotcha on some of the platforms.
JayW
>>> [EMAIL PROTECTED] 08/20/01 03:24PM >>>
It can't be Code Red... Until that machine actually goes live, port 80
is
blocked to outside traffic (and I am toying with the idea of not using
port
80 when it goes live anyways), besides the Index Server service is
disabled.
Not patched (not my choice, people higher up make decisions I can't
argue
with) doesn't mean totally abandonned. I update the McAfee virus scan
definition list whenever a new comes out, I have GroupShield running on
Exchange (updated just as lovingly), I ran three all-files virus checks,
on
top of the on-access scan, since having this problem, I've rebooted
twice
(which should have taken care of Code Red if it had been an issue) and
I've
also ran the Code Red scanner, all to no avail.
Eric Peeters
Network Administrator
TexLoc Ltd
-----Original Message-----
From: Kevin Lundy [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 3:06 PM
To: NT System Admin Issues
Subject: RE: IIS stopping without reason
The "no patch" is the clue. My betting money is on Code Red - you have
heard the news the past month?
-----Original Message-----
From: Eric Peeters [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 20, 2001 4:09 PM
To: NT System Admin Issues
Subject: IIS stopping without reason
Hello,
My IIS4 server has been behaving strangely for the past four days. It is
not
a mission-critical unit (yet) as it runs only the users' default home
page
when they start IE though it was supposed to go live in a week as the
IIS
for OWA. On to the problem...
All IIS services (NNTP, FTP, HTTP) are stopped. I click on one of them
at
random and hit Start. Nothing happens. I click Start again after a few
seconds. The service in question will start and function normally,
however
anywhere from 5 to 15 minutes later, it'll stop again. There is no
message
in the log file other than a notice in the Security log that the IIS
account
logged in and out at start/stop.
Besides IIS, that box is running Win NT 4 SP6a Server (no patch) and
Exchange 5.5 SP1 (no patch) and it acts as the BDC.
I've roamed through the Microsoft KB (not easy, what keywords do you use
to
describe this when there's no message in the log) to no avail. Anyone
out
there with a suggestion ?
Eric Peeters
Network Administrator
TexLoc Ltd
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
