[unisog] mysterious IIS failures

Ward, Mike mike.ward at ubc.ca
Thu Jan 15 19:23:49 GMT 2004

If you are using Backup Exec you may want to verify that you have the latest revision applied.  Because it uses SQL I have seen older revisions of BE get hit with the W32.SQLExp.Worm even though they have NAV 8 Corporate installed.  The high overload on
the infected machines that I saw was shutting down IIS.  It may be worth while checking into.

You can view information at the following link:


-----Original Message-----
From: Jim Duncan [mailto:jnduncan at cisco.com] 
Sent: Thursday, January 15, 2004 10:37 AM
To: Russell Fulton
Cc: unisog at sans.org
Subject: Re: [unisog] mysterious IIS failures 

Russell Fulton writes:
> The servers involved are all Windows 2003 (standard) and had all been patched 
> for the known security issues (ie. after the initial patching of MS03-039, etc 
> Windows Update was run and now thinks there are no further updates to be 
> loaded).
> The LSASS failure (this thing manages security in Windows) happens when an 
> installation stops/starts Web publishing processes.
> All three machines had external access, nothing special at the time of update,
> R> 'external access' == outbound access to the 'Net no inbound access. 
> and were on the network at the time (the installation processes require access 
> to DNS etc for certain modules).
> DCOM is consistently not installed.
> COM+/WebDAV are installed.
> 2 out of three had NAV (8.x) installed at the time the issue happened. The 
> virus definitions, etc were current and the machines subject to the policies 
> managed via Loveleen in ITSS -so real time scanning/heuristics are whatever is 
> currently standard.
> R> We do still have intermittent bursts of welchia/slammer traffic on campus so
> R> the thought that this is causing problems during some small window during 
> R> installs is not totally implausible
> R> anyone have any ideas? 

Hi, Russ.  I suggest the machines be re-installed and the patches 
applied _before_ they are reconnected to the network.

It is interesting that I just had a similar discussion with a coworker 
just a few hours ago.  He uses a USB memory device to carry his patches 
over to the new machine because he will not risk connecting the new 
machine to any network until it is patched.  And this is inside a 
fairly tightly controlled network! ;-)

So, it would be interesting to see if the failures continue even when 
the machine is installed, patched, and brought up again while still off 
the network.

Hope this helps.


Jim Duncan, Critical Infrastructure Assurance Group, Cisco Systems, Inc.
jnduncan at cisco.com, +1 919 392 6209, http://www.cisco.com/go/ciag/.
PGP: DSS 4096/1024 E09E EA55 DA28 1399 75EB D6A2 7092 9A9C 6DC3 1821

More information about the unisog mailing list