General discussion

Locked

SP 4?

By rcoolman ·
I have a Win 2k server, also running Exch 5.5 on an NT4 domain. When starts, automatic updates service fails. Have had some RPC errors as well. Have tried several things, but most troublesome development is that I can't install SP 4. It seems to hang & the CPU runs at 100%. It was SP2, I have tried SP 3 & went fine, but no improvement. Any ideas out there?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by sgt_shultz In reply to SP 4?

sounds like you have the blaster worm. apparently it is not destructive, but will crash computers...search your hard drive for msblast.exe, the worm. find it in system32 folder...it interferes with automatic update and causes rpc errors. it can't infect your nt4 server but it can make it crash...complete instructions plus removal tool found at www.symantec.com. you will need to get microsofts patch downloaded some other way besides windows update before using symantec's removal tool, or implement firewall to block port 4444 (just close everything but port 80)...good luck full instructions are found at MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution on support.microsoft.com
and put a firewall in for pete's sake

Collapse -

by rcoolman In reply to

Nice try - you had me scared, but the removal tool didn't find blaster on my server. And I do have a firewall.
Thanks.

Collapse -

by Joseph Moore In reply to SP 4?

The coding of the Blaster worm is not perfect. On some computers, it crashes the RPC service (an error in SVCHOST.EXE) and can make it unstable. When it does this, RPC will fail, but the virus will NOT be able to load itself on the hit machine.
Therefore, a virus scan will NOT detect the virus, since the MSBLASTER.EXE file was not able to TFTP over to the machine. But RPC was still exploited (and now offline).

So, I would still put the RPC patch on and see if that resolves your issue. Then put SP4 on.

hope this helps

Collapse -

by rcoolman In reply to

That patch doesn't install either. I really don't think I have blaster - nothing on my network that we have run the removal tool on has found it. Thanks, anyway.

Collapse -

by sgt_shultz In reply to SP 4?

yes, i believe you are getting hammered and crashed by infected hosts (like, on your LAN?). i would read up on the blaster worm on the mskb. you will need to close some more *internal* and external ports maybe...there are many reports of patched machines crashing...folks think it is because of way worm works, attempts to contact other hosts and sometimes makes system-stopping error, read up on it...get a port scanner like nmap and scan your exposed servers from inside and outside your lan...the mskb and symantec articles will help you figure out what ports you have to close up. close up everything except stuff you might need like 21 for ftp, 23 for telnet (no!), 25 for smtp 110 for pop3, any other ports like for streaming and stuff...close em all down and see what breaks (:>O. good luck hope i don't see the dang thing...

Collapse -

by rcoolman In reply to

I really don't think I have blaster - nothing on my network that we have run the removal tool on has found it. Thanks, anyway.

Collapse -

by rcoolman In reply to SP 4?

This question was closed by the author

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums