Bugtraq mailing list archives

Re: Microsoft IIS problems (Current)

From: neil () geekshanty com
Date: Thu, 19 Jul 2001 16:48:18 -0500

I have seen some problems with NT4 servers running Exchange crashing when
they encounter the Code Red Worm.  These machines were all upgraded with the
patch in the MS-33 ida/idq bulletin.  While the worm wouldn't exploit the
servers, it would bring down IIS4.  

The page returned contained an error message:
<snip>
    This is the error page for errors found in .idq files
    A registry entry points to this page (where X is the current language):
</snip>

This was returned along with a registry key and some more detail why it
failed.  Out of all the servers, only the ones with Exchange exhibited these
problems after being patched.  I have confirmed these results with someone
with a similar setup.  The only way I could stop it was to unmap the ida/idq
extensions from IIS4.

Has anyone else seen similar behavior?  Is this limited only to NT4/Exchange
machines?  I haven't been able to test it on an IIS5 machine to see.  I'd
advise anyone currently having these problems to unmap the ida/idq extensions.

For dumps/more information just let me know.

Neil


On 07-19 (13:20), Jim Hribnak wrote:


There appears to be a WIDE spread issue with IIS 4 and IIS 5 right now.  The
services will automatically shut down when attacked.  There is patches (old
Patches) that seem to fix the problem YET the patch says its for Microsoft
Index server (a lot of people are not running Index server, yet this patch
fixes the crashing problem.

Upon further reading of the bulletin below it say

"
Affected Software:

  a.. Microsoft Index Server 2.0
  b.. Indexing Service in Windows 2000
"

Most people will not install this if they are not running the software
listed above.  The above should have also said IIS 4 and IIS 5 are affected.

And it does if you read the technical section..

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-033.asp

for IIS4 /NT4
http://www.microsoft.com/ntserver/nts/downloads/critical/q300972/default.asp

for IIS5/Win2000
http://www.microsoft.com/windows2000/downloads/critical/q300972/default.asp



---------------------------------------
Jim Hribnak
Manager Communication Services
Nucleus Inc.
403-209-0000

Current thread:

Microsoft IIS problems (Current) Jim Hribnak (Jul 19)
- Re: Microsoft IIS problems (Current) GVB (Jul 19)
- Re: Microsoft IIS problems (Current) Andy Colvin (Jul 19)
- Re: Microsoft IIS problems (Current) neil (Jul 19)
- <Possible follow-ups>
- RE: Microsoft IIS problems (Current) Lambert, Andy (Jul 19)
  - Re: Microsoft IIS problems (Current) Gary Flynn (Jul 19)
  - RE: Microsoft IIS problems (Current) Darrell Hyde (Jul 19)
- RE: Microsoft IIS problems (Current) Rich Ostergard (Jul 19)