Cisco Cisco 7815I Media Convergence Server Guía Para Resolver Problemas
Immediate Actions
Complete these steps:
Run the latest win−OS−upgrade (available in the crypto section of the appropriate CallManager
version download page on CCO) on all IP Telephony Servers running Windows 2000, and run the
appropriate repair utility (Microsoft has a tool available) and/or manually (available from McAfee)
close the backdoors created by Code Red II. For IP Telephony Servers running NT4.0 IIS, install
Service Pack 6a and then the Code Red fix.
version download page on CCO) on all IP Telephony Servers running Windows 2000, and run the
appropriate repair utility (Microsoft has a tool available) and/or manually (available from McAfee)
close the backdoors created by Code Red II. For IP Telephony Servers running NT4.0 IIS, install
Service Pack 6a and then the Code Red fix.
Caution: Because this worm creates backdoors, if the server was directly connected to the
Internet and someone could have placed more backdoors in it while it was compromised, or if the
possibility of the server being further compromised from within your network exists, the safest action
would be to backup the data and reinstall the server from scratch.
possibility of the server being further compromised from within your network exists, the safest action
would be to backup the data and reinstall the server from scratch.
1.
Stop and disable IIS Admin Service and World Wide Web Publishing service on all Cisco
CallManager subscribers, and any server that does not require them. These services must remain
active on the Cisco CallManager Publisher.
CallManager subscribers, and any server that does not require them. These services must remain
active on the Cisco CallManager Publisher.
To perform this task, follow these steps:
Bring up the services applet by going to Start > Programs > Administrative Tools >
Services.
Services.
a.
Right−click IIS Admin Service and select Stop. This also stops the World Wide Web
Publishing service.
Publishing service.
b.
Right−click IIS Admin Service and select Properties. Change Startup Type to Disable, and
close the window.
close the window.
c.
Right−click World Wide Web Publishing and select Properties. Change Startup Type to
Disable, and close the window.
Disable, and close the window.
d.
2.
Patch or repair all known IIS servers in the network.
3.
Deploy updated phone loads.
For Cisco CallManager 3.0x systems, download ciscocm_3−0−11_spA.exe from Cisco.com.
From the CCMAdmin page go to System > Device Defaults and set the 7940/7960 Device
Loads to P003E310. Click Update.
From the CCMAdmin page go to System > Device Defaults and set the 7940/7960 Device
Loads to P003E310. Click Update.
♦
For Cisco CallManager 3.1x systems, download ciscocm_3−1−1_spA.exe from Cisco.com.
From the CCMAdmin page go to System > Device Defaults and set the 7940/7960 Device
Loads to P00303010100. Click Update.
From the CCMAdmin page go to System > Device Defaults and set the 7940/7960 Device
Loads to P00303010100. Click Update.
♦
For both Cisco CallManager 3.0 and 3.1, Go to System > CallManager Group. Select the
first group on the left hand side, and click Reset Devices, select OK when prompted. Do this
for each Cisco CallManager group present for the phones to get their new loads.
first group on the left hand side, and click Reset Devices, select OK when prompted. Do this
for each Cisco CallManager group present for the phones to get their new loads.
♦
Cisco CallManager 3.2x and 3.3x systems do not require an updated phone load, as they
include all necessary fixes.
include all necessary fixes.
♦
4.
Identify and take care of remaining infected IIS servers on the network (this could easily stretch into a
near−term solution, depending on how many rogue IIS servers are on the network). Here are two
methods:
near−term solution, depending on how many rogue IIS servers are on the network). Here are two
methods:
On the Cisco CallManager Publishing server, or any other IIS server with logging enabled, go
to c:\winnt\system32\logfiles\w3svc1 and access the most recent log file. These files have a
naming convention of ex000000.log.
to c:\winnt\system32\logfiles\w3svc1 and access the most recent log file. These files have a
naming convention of ex000000.log.
Look for a line similar to this:
2001−08−09 00:11:57 172.20.148.189 − 172.20.225.130 80 GET /default.ida
♦
5.