Re: Buffer OVerflow

From: Karl Levinson [x y] mvp (
Date: 03/27/03

From: "Karl Levinson [x y] mvp" <>
Date: Thu, 27 Mar 2003 15:54:39 -0500

If your exchange server is sending traffic to workstations on TCP port 80,
that doesn't sound like the first thing I would do. First, I would unplug
the server's network connection and use antivirus to determine what virus if
any is on the computer. I would want to determine what is causing this so I
would know what my response should be. These things are what I would do:

I think it's more likely that IIS web services were left enabled on the
Exchange server [such as perhaps for OWA to work] and possibly you have the
Code Red or Nimda worms. This sounds like a worm, and installing the
ntdll.dll patch does not prevent any worms that I know of.

Antivirus may not always detect code red and/or nimda, so you might also
want to search for information on those viruses in a virus database such as
the one at to see how to recognize and deal with such a virus.

Installing URLScan from blocks a lot of
these IIS worms.

"Brandon" <> wrote in message
> My exchange server is scanning IIS ports on everyones
> machines on the network , when I try to install patches
> usually a file is locked like ntdll.dll or .
> Does anyone know what I can do to stop this
> .