Software Updates Services no longer working

From: Jason Gersekowski (jag_at_GOLDENCIRCLE.COM.AU)
Date: 08/18/03

  • Next message: Glenn Turner: "SUS uses windowsupdate.com"
    Date:         Mon, 18 Aug 2003 12:09:17 +1000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Hello all,

    I have just been testing a deployment of Microsoft Software Update
    Services over the last few days and have found that it has suddenly
    decided to break this morning after doing asynchronize with the
    Microsoft Servers. Below are some extracts of the working logs from
    Friday and the now defunct logs :

    Friday IIS Log :

    2003-08-16 22:27:00 172.16.150.117 - 172.16.150.117 80 HEAD /iuident.cab
    0308162227 200 Industry+Update+Control
    2003-08-16 22:27:00 172.16.150.117 - 172.16.150.117 80 GET /iuident.cab
    0308162227 200 Industry+Update+Control
    2003-08-16 22:27:00 172.16.150.117 - 172.16.150.117 80 HEAD
    /selfupdate/AU/x86/W2K/en/wuaucomp.cab 0308162227 200
    Industry+Update+Control
    2003-08-16 22:27:00 172.16.150.117 - 172.16.150.117 80 GET
    /selfupdate/AU/x86/W2K/en/wuaucomp.cab 0308162227 200
    Industry+Update+Control
    2003-08-16 22:27:00 172.16.150.117 - 172.16.150.117 80 HEAD /iuident.cab
    0308162227 200 Industry+Update+Control
    2003-08-16 22:27:00 172.16.150.117 - 172.16.150.117 80 GET /wutrack.bin
    V=1&U=b5427acc134d9c4ab810c72515ddd2f2&C=iu&A=n&I=&D=&P=5.0.893.2.0.3.0&
    L=en-US&S=s&E=00000000&M=&X=030816222700742 200 Industry+Update+Control
    2003-08-16 22:27:00 172.16.150.117 - 172.16.150.117 80 POST
    /autoupdate/getmanifest.asp - 200
    Mozilla/4.0+(compatible;+Win32;+WinHttp.WinHttpRequest.5)
    2003-08-16 22:27:00 172.16.150.117 - 172.16.150.117 80 POST
    /autoupdate/getmanifest.asp - 200
    Mozilla/4.0+(compatible;+Win32;+WinHttp.WinHttpRequest.5)
    2003-08-16 22:27:01 172.16.150.117 - 172.16.150.117 80 POST
    /autoupdate/getmanifest.asp - 200
    Mozilla/4.0+(compatible;+Win32;+WinHttp.WinHttpRequest.5)
    2003-08-16 22:27:01 172.16.150.117 - 172.16.150.117 80 GET /wutrack.bin
    V=1&U=b5427acc134d9c4ab810c72515ddd2f2&C=au&A=d&I=&D=&P=5.0.893.2.0.3.0&
    L=en-US&S=s&E=00000000&M=items%3D0&X=030816222702180 200
    Industry+Update+Control

    Monday IIS Log :

    2003-08-18 02:02:05 172.16.150.117 - 172.16.150.117 80 HEAD /iuident.cab
    0308180202 200 Industry+Update+Control
    2003-08-18 02:02:05 172.16.150.117 - 172.16.150.117 80 GET /iuident.cab
    0308180202 200 Industry+Update+Control
    2003-08-18 02:02:05 172.16.150.117 - 172.16.150.117 80 HEAD
    /selfupdate/AU/x86/W2K/en/wuaucomp.cab 0308180202 200
    Industry+Update+Control
    2003-08-18 02:02:05 172.16.150.117 - 172.16.150.117 80 GET
    /selfupdate/AU/x86/W2K/en/wuaucomp.cab 0308180202 200
    Industry+Update+Control
    2003-08-18 02:02:07 172.16.150.117 - 172.16.150.117 80 HEAD /iuident.cab
    0308180202 200 Industry+Update+Control
    2003-08-18 02:02:07 172.16.150.117 - 172.16.150.117 80 GET /wutrack.bin
    V=1&U=b5427acc134d9c4ab810c72515ddd2f2&C=iu&A=n&I=&D=&P=5.0.893.2.0.3.0&
    L=en-US&S=s&E=00000000&M=&X=030818020207182 200 Industry+Update+Control
    2003-08-18 02:02:07 172.16.150.117 - 172.16.150.117 80 GET
    /<Rejected-By-UrlScan>
    ~/v4.windowsupdate.microsoft.com/autoupdate/getmanifest.asp 404
    Mozilla/4.0+(compatible;+Win32;+WinHttp.WinHttpRequest.5)
    2003-08-18 02:02:07 172.16.150.117 - 172.16.150.117 80 GET /wutrack.bin
    V=1&U=b5427acc134d9c4ab810c72515ddd2f2&C=au&A=d&I=&D=&P=5.0.893.2.0.3.0&
    L=en-US&S=f&E=80190194&M=&X=030818020207775 200 Industry+Update+Control

    The client logs also show similar messages that reflect "404 File Not
    Found" messages.

    Anyone else getting similar log messages ?

    Cheers,

    Jason Gersekowski
    Golden Circle Limited

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!

    With a growth rate exceeding 110%, the TICSA security practitioner
    certification is one of the hottest IT credentials available. And now, for
    a limited time, you can save 33% off of the TICSA certification exam! To
    learn more about the TICSA certification, and to register as a TICSA
    candidate online, just go to

    http://www.trusecure.com/offer/s0100/

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


  • Next message: Glenn Turner: "SUS uses windowsupdate.com"