Re: Buffer OVerflow
From: Karl Levinson [x y] mvp (firstname.lastname@example.org)
From: "Karl Levinson [x y] mvp" <email@example.com> Date: Thu, 27 Mar 2003 15:54:39 -0500
If your exchange server is sending traffic to workstations on TCP port 80,
that doesn't sound like the first thing I would do. First, I would unplug
the server's network connection and use antivirus to determine what virus if
any is on the computer. I would want to determine what is causing this so I
would know what my response should be. These things are what I would do:
I think it's more likely that IIS web services were left enabled on the
Exchange server [such as perhaps for OWA to work] and possibly you have the
Code Red or Nimda worms. This sounds like a worm, and installing the
ntdll.dll patch does not prevent any worms that I know of.
Antivirus may not always detect code red and/or nimda, so you might also
want to search for information on those viruses in a virus database such as
the one at www.sarc.com to see how to recognize and deal with such a virus.
Installing URLScan from www.microsoft.com/technet/security blocks a lot of
these IIS worms.
"Brandon" <firstname.lastname@example.org> wrote in message
> My exchange server is scanning IIS ports on everyones
> machines on the network , when I try to install patches
> usually a file is locked like ntdll.dll or sp3.cab .
> Does anyone know what I can do to stop this