RE: ISA Server Crash - More Information

From: Laurence Hartje (laurenceh_at_healthforcepartners.com)
Date: 04/01/04

  • Next message: Jim Harrison (ISA): "RE: ISA Server Crash - More Information" 
    Date: Thu, 1 Apr 2004 07:46:13 -0800
To: <wjhays@sbcglobal.net>, <focus-ms@securityfocus.com>

    I'm by no means a NTFS expert, nor have I had to fight with the Witty
    worm, but I would expect if it happened to corrupt the beginning of the
    MFT (and the MFT mirror) then you would lose all the data on the drive.
    Maybe you just happened to get "lucky" in that respect -- although who
    knows how much data would still be on the drive even if the MFT
    survived.

    If the machine just recently crashed, it might have been infected for a
    week or longer, since the worm started its spread around the 19th of
    March.

    Have you checked the integrity of all the data on the second partition?
    Since the worm seems to select random sectors from the disk, you might
    see some corruption of the data that was on the second partition. It
    might give some answers to your questions.

    FYI, it appears that the patch for BlackIce was made available March
    9th.

    Laurence

    -----Original Message-----
    From: Bill Hays [mailto:wjhays@sbcglobal.net]
    Sent: Wednesday, March 31, 2004 4:53 PM
    To: focus-ms@securityfocus.com
    Cc: wjhays@sbcglobal.net
    Subject: ISA Server Crash - More Information

    I appreciate all the responses that I have received, but I still have
    one big question. Everything that I have read doesn't say anything
    about the Witty worm basically erasing a hard drive. Everything that I
    have read states that it over-writes the data until the infected machine
    crashes if it is not rebooted before it over-writes the boot sector;
    which then can cause other serious problems. Am I missing something?

    As requested by most everyone, here is more information on my system. I
    want to tell everyone that this hard drive had two partitions and only
    the second partition survived. The active partition was the one
    erased/crashed. I am pretty certain that the C:\ partition was
    completely empty. Can anyone advise? Also, the system was running ISA
    and Black Ice cause that was the way it was configured by someone before
    me. I inquired about this when I first started working here and was
    told this was double security; I think more like double trouble
    personally. As for whether or not Black Ice was updated I know as I
    wasn't here when it was built and I haven't done any updates since I
    arrived back in the last month.

    Also can anyone please tell me if Win2K Server can in fact be formatted
    while the system is up and running? I've been pretty lucky I guess in
    all the years I've been doing this (8 yrs) that I've never had anything
    like this happen.
     
    Thanks again for everyone's help;

    Bill Hays
    IT Support Specialist
    MCP (NT4&W2K)

    ------------------------------------------------------------------------ 

    ---
Free 30-day trial: firewall with virus/spam protection, URL filtering,
VPN, 
wireless security
Protect your network against hackers, viruses, spam and other risks with
Astaro Security Linux, the comprehensive security solution that combines
six 
applications in one software solution for ease of use and lower total
cost 
of ownership. 
Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, 
wireless security
Protect your network against hackers, viruses, spam and other risks with 
Astaro Security Linux, the comprehensive security solution that combines six 
applications in one software solution for ease of use and lower total cost 
of ownership. 
Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
---------------------------------------------------------------------------
  • Next message: Jim Harrison (ISA): "RE: ISA Server Crash - More Information"

    Relevant Pages

    • Re: help! "your system is shutting down"
      ... "putting up with" the security gap represented by these messages is ... Messenger Service Window That Contains an Internet Advertisement ... Popup-killer from http://12ghosts.com/ghosts/popup.htm, Pop-Up Stopper ... What You Should Know About the Blaster Worm ...
      (microsoft.public.security.virus)
    • Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations
      ... Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations ... set security acl ip WORM deny udp any eq 1434 any ...
      (Bugtraq)
    • CERT Advisory CA-2001-20
      ... in compromises of home user machines. ... to date with security patches and workarounds, ... worm after it has infected a victim system. ... used to initially compromise the machine may not be enough. ...
      (Cert)
    • [Full-Disclosure] Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendatio
      ... Cisco Security Advisory: MS SQL "Sapphire" Worm Mitigation Recommendations ... set security acl ip WORM deny udp any eq 1434 any ...
      (Full-Disclosure)
    • Beware new SOBER worm
      ... mbies Boost New Sober Variant ... Anti-virus and e-mail security companies warned Internet users Tuesday ... editions of the same worm. ... Opening the file launches the Sober worm and infects the computer, ...
      (uk.telecom.broadband)