Re: Buffer OVerflow

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 03/27/03


From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Thu, 27 Mar 2003 15:54:39 -0500


If your exchange server is sending traffic to workstations on TCP port 80,
that doesn't sound like the first thing I would do. First, I would unplug
the server's network connection and use antivirus to determine what virus if
any is on the computer. I would want to determine what is causing this so I
would know what my response should be. These things are what I would do:

http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#harden

I think it's more likely that IIS web services were left enabled on the
Exchange server [such as perhaps for OWA to work] and possibly you have the
Code Red or Nimda worms. This sounds like a worm, and installing the
ntdll.dll patch does not prevent any worms that I know of.

Antivirus may not always detect code red and/or nimda, so you might also
want to search for information on those viruses in a virus database such as
the one at www.sarc.com to see how to recognize and deal with such a virus.

Installing URLScan from www.microsoft.com/technet/security blocks a lot of
these IIS worms.

"Brandon" <bhil21@yahoo.com> wrote in message
news:048301c2f48f$ee7cc450$3301280a@phx.gbl...
> My exchange server is scanning IIS ports on everyones
> machines on the network , when I try to install patches
> usually a file is locked like ntdll.dll or sp3.cab .
> Does anyone know what I can do to stop this
> .
>
>