Hi,
We had several core dumps on our filers today. To be exact those were - 1 node a FAS980c - 1 node a FAS270c - R200 - F760 running 6.5.1.
All machines crashed within half an hour with the following message:
Panic string: PageFault (write invalid page) on address 0xc7d2e000 (errcode 0x2), eip = 0x713cb1 esp = c1afbd7c ebp = 0xc1afbd84 cs = 8 eflags = 10202 in process SMBRPCWor
As those filers are used in different windows domains from different clients I can't think of any normal client that could have caused the crash. Then some hours later I found an article from SANS about a new version of the PhatBot worm seems to include an LSASS exploit code. http://www.incidents.org/diary.php?date=2004-04-27&isc=932fe245375de59f9...
I don't like the idea, but could OnTAP be vulnerable to a windows exploit? Has anyone else seen this problem?
Carsten
think so >(
********************************************************************* NETWORK APPLIANCE Field Alert Notice # 211 April 28, 2004 *********************************************************************
Worm on Microsoft Clients can panic NetApp Appliances -----------------------------------------------------
A new worm or virus running on infected Microsoft clients can panic NetApp Appliances running any ONTAP or NetCache Release. While NetApp appliances do not run the worm code, NetApp appliances will panic and reboot if a client that is running the worm code exposes a NetApp appliance to this worm.
We have seen a few instances of bug # 130383 and have developed and validated the fix at some customer sites, however, we are not certain that we have seen all the variants of this worm. As an immediate solution we have made the following patches available on the NOW site which will prevent the panics due to this bug:
ONTAP Patches:
6.5.1D1 http://now.netapp.com/NOW/download/software/ontap/6.5.1D1/ 6.5R2P13D1 http://now.netapp.com/NOW/download/software/ontap/6.5R2P13D1/ 6.4.4P7D3 http://now.netapp.com/NOW/download/software/ontap/6.4.4P7D3/ 6.3.3P3D1 http://now.netapp.com/NOW/download/software/ontap/6.3.3P3D1/
NetCache Patches:
5.6D13 http://now.netapp.com/NOW/download/software/netcacheapp/5.6D13 5.3.1R4D10 http://now.netapp.com/NOW/download/software/netcacheapp/5.3.1R4D10/
For more details on bug 130383, please see the public report at:
http://now.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=130383
Allendörfer, Carsten wrote:
Hi,
We had several core dumps on our filers today. To be exact those were
- 1 node a FAS980c
- 1 node a FAS270c
- R200
- F760
running 6.5.1.
All machines crashed within half an hour with the following message:
Panic string: PageFault (write invalid page) on address 0xc7d2e000 (errcode 0x2), eip = 0x713cb1 esp = c1afbd7c ebp = 0xc1afbd84 cs = 8 eflags = 10202 in process SMBRPCWor
As those filers are used in different windows domains from different clients I can't think of any normal client that could have caused the crash. Then some hours later I found an article from SANS about a new version of the PhatBot worm seems to include an LSASS exploit code. http://www.incidents.org/diary.php?date=2004-04-27&isc=932fe245375de59f9...
I don't like the idea, but could OnTAP be vulnerable to a windows exploit? Has anyone else seen this problem?
Carsten
-
"Allendörfer, Carsten" -
Hannes Herret - Bacher Systems EDV GmbH