We are having problems with our Netware 6sp4 Server abending (suddenly). The
server has been up and running for months without changes but seems to abend
randomly. After further inspection the abend.log pointed to a Backup Exec
file, the server has been running well when BE is unloaded.
The violation occurred while processing the following instruction:
0025C26B 8B5704 MOV EDX,[EDI+04]
0025C26E 895010 MOV [EAX+10],EDX
0025C271 8B5014 MOV EDX,[EAX+14]
0025C274 42 INC EDX
0025C275 8B4810 MOV ECX,[EAX+10]
0025C278 895014 MOV [EAX+14],EDX
0025C27B 85C9 TEST ECX,ECX
0025C27D 750C JNZ 0025C28B
0025C27F 8B4004 MOV EAX,[EAX+04]
0025C282 8903 MOV [EBX],EAX
Running process: NRLTLI.NLM 11 Process
Thread Owned by NLM: NRLTLI.NLM
Stack pointer: 8B695028
OS Stack limit: 8B691240
CPU 0 (Thread 8AB27100) is in a NO SLEEP state
Scheduling priority: 67371008
Wait state: 5050190 Blocked on a kernel CV
After posting to Veritas and Novell we came up with ...
Sounds like you're being hit with a new exploit that's floating around
for this BackupExec vulnerability:
http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities
http://isc.sans.org/diary.php?date=2005-01-10
Try blocking port 6101, or unload BackupExec.
-David
We are working on blocking ports but if there are any more suggestions they
would be appreciated.
Scott Foreman
Scott Foreman
System Development
Controller's Office
Michigan State University
146 Admin Bldg
East Lansing, MI 48824
PH: 517-353-4443
FAX: 517-353-9640
EMAIL: [log in to unmask]
|