Your question, your audience. Choose who sees your identity—and your question—with question security.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
From novice to tech pro — start learning today.
I'm still doubtful it's using this exploit or if the hole still exists, It's been a LONG time since I tested NT4 fully patched for known exploits.
The solutions to this were waiting on a fix from Microsoft dating back to Quarter 4 of 1999. I don't know if it ever got fixed in either NT or win9x.
But for NT4 for anything to kill services.exe will produce the same results. Getting to the root cause of services.exe dieing will get you a fix.
1) a repair install on NT. Take it down completely, disconnect it from the network and install over the top from an original NT install CD, then apply SP6a from a CD or whatever before connecting it to the network.
Make sure you have any third party up to date drivers needed to talk to SCSI controllers or raid arrays/other essential devices on floppy or CD before you begin and overwrite any files it says are newer.
(I.E your 3rd party drivers would override any from NT4 the original install CD)
2) If this is a frontward facing server to the internet, block port 139 on your firewall for incoming internet traffic for that server unless it's really needed to be open.
I still doubt this exploit is being used, but If, BIG IF this exploit still exists then the suggested way to stop it from being used is not viable for a server. It was a stop gap for VERY short term.
Is there anything that happens in the event logs JUST before it happens.
Turn on all logging, successful and unsucessful if you suspect someone would be willing to try this.
Terry