Jude's Blog

Posts Tagged ‘EternalBlue

Windows Server Restarting often with BSOD

leave a comment »

Issue


So here’s the case, during the last two weeks we’ve identified quite a few scenarios where the Domain Controllers kept on restarting out of nowhere. Here are the symptoms;

  • BlueScreen (BSOD)
  • Restarting every 5-10 mins or quite often
  • Windows Server 2012 or Windows Server 2012 R2

Upon going through the dump analysis of those cases and digging in more, the root cause was related to a SRV.SYS windows driver. Apparently this is a driver that handles SMBv1 connections. The restarting is due to a memory overflow in the system.

BugCheck 50, {ffffe00171aad000, 1, fffff80004652c20, 0}

Probably caused by : srv.sys ( srv!SrvOs2FeaToNt+48 )

Followup:     MachineOwner
---------

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffe00171aad000, memory referenced.
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation.
Arg3: fffff80004652c20, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000000, (reserved)

STACK_TEXT:  
ffffe001`71aad000 00000000`00000001 ffffd000`208c8700 : nt!KeBugCheckEx
ffffe001`6c82a040 ffffd000`208c8700 fffff800`276e5c76 : nt! ?? ::FNODOBFM::`string'+0x26b6e
ffffe001`71aad000 ffffc000`320d2000 fffff800`27754445 : nt!MmAccessFault+0x769
fffff800`04652b52 00000000`00000010 00000000`00000246 : nt!KiPageFault+0x12f
ffffe001`71aacff8 5c725c6e`5c725c36 ffffc000`320c2138 : srv!SrvOs2FeaToNt+0x48
00000000`00000000 ffffc000`320b2010 00000000`00000002 : srv!SrvOs2FeaListToNt+0x125
fffff800`00010fe8 ffffe001`71a9c010 ffffe001`70d56010 : srv!SrvSmbOpen2+0xc3
ffffe001`70d56010 ffffc000`320b2010 00000000`00000002 : srv!ExecuteTransaction+0x2ca
00000000`00000000 ffffe001`00000035 ffffe001`0000f3d0 : srv!SrvSmbTransactionSecondary+0x40b
ffffe001`6ef9c388 ffffe001`70d56a80 fffff800`0461b010 : srv!SrvProcessSmb+0x237
ffffe001`70d56010 00000000`00000000 ffffe001`70d56020 : srv!SrvRestartReceive+0x114
ffffc000`329656f0 ffffe001`6ef9c340 00000000`00000080 : srv!WorkerThread+0xffffffff`ffffbda5
ffffe001`72281040 ffffd001`8b5e9180 ffffe001`71ef7040 : nt!IopThreadStart+0x26
ffffe001`72281040 ffffe001`6dbc6880 ffffd000`208c8c90 : nt!PspSystemThreadStartup+0x58
ffffd000`208c3000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16

Resolve


 

Check your Updates!!!!! Well, in all our cases the client servers were not patched. The BSOD was due to the SMBv1 memory overflow.

In order to fix the issue, head over to the Microsoft Security Bulletin MS17-010 – Critical website, look for your Operating System, patch it ASAP.

Pretty strange why it was all good until now. Anyhow, whatever said and done another good reminder for everyone who’s lazy on updating their systems.

Advertisements

WannaCrypt attack; Keeping protected.

leave a comment »

Issue


I’m pretty sure you know it already. There’s a serious Ransom-ware spreading across the globe and this one is again I repeat. Pretty darn serious!

Behold! “WannaCrypt” is here. This is so severe, that it has been reported that more than 95k PC’s are already infected.

This slideshow requires JavaScript.

 

The problem is that the ransom-ware if hit, will lock (encrypt) your files. So that you have no way of opening it without unlocking (decrypt). To unlock, the makes of the malware is demanding a ransom. And we never know if they will give you the key as well.

Apart from that this can spread across to other computers. Which makes things worse. The spread is using something called a Remote code execution that existed in Microsoft Server Message Block 1.0 (SMBv1) component.

Resolve


Individual user

  1. Update your Antivirus application
  2. Update your Windows Operating System
    Running Windows XP? There’s good news for you. For older systems like Windows XP,  Windows Server 2003 etc Microsoft no longer provides updates as its support lifecycle is ended. However, Microsoft has been generous to publicly make available the patches for the below operating systems due to the severity of the case. Click on the below to view and download the updates needed.

    Windows XP SP2 x64
    Windows XP SP3 x86 
    Windows XP Embedded SP3 x86
    Windows 8 x86
    Windows 8 x64

  3. Run a full Anti-virus scan of your computer.
  4. Pray!

Corporate/Enterprise/ IT Admins

  1. If you have an enterprise Antivirus protection suite, make sure it’s engine is up to date.
  2. Push the latest AV updates to your client PCs.
  3. Update all your Windows Server Operating systems that includes both client and Servers.
    Thanks to Microsoft they’ve got you covered if you still have Windows Server 2003 Operating Systems as well.
    If you have WSUS or SCCM, get the updates and push it. If not, use the below ‘MS17-010’ link below to get the correct update for your system.

Windows Server 2003 SP2 x64
Windows Server 2003 SP2 x86

MS17-010 – Microsoft Security Bulletin Update

Oh and Windows 10 users, you’re all good. ^_^

Written by judeperera

May 13, 2017 at 9:56 am