Hello,
One thing to look at with this virus, is it incoming or out going or
both and what I mean by this is that Imail web server get a request by a
malformed header, directory transversal or the request by a infected
machine of (/d/winnt/system32/cmd.exe?/c+dir
../winnt/system32/cmd.exe?/c+dir /scripts/root.exe?/c+dir) and Imail
answer by refreshing the page in my case with the killwebmail the
response is bigger the attack. You should download www.wildpacket.com a
packer sniffer or any packet sniffer (for any anal people out their) and
see for your self. A solution to this is download Microsoft IIS filter
here
"http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
r
ity/tools/URLscan.asp" and set up Imail to a different port than 80 and
have IIS do a redirect to that port. This works and will solve a lot of
problems with virus attacks not just this one. As you will see with the
packet sniffer most of the attacks are from your providers own subnet
whether it A,B or C with infected machine. So you may not be infected
but you think you are. As in previous conversation the best help is to
look in the INI file of this program for help it is well commented.
Andrew
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
Sent: Tuesday, September 18, 2001 9:32 PM
To: [EMAIL PROTECTED]
Subject: Re: [IMail Forum] New widespread virus: W32/Nimda-A; arrives
wit h readme.exe attachment
>It appears that web messaging is affected by this new virus also....I
have
>massive referrals from outside the system trying to get in through Web
>Messaging and get to directories and the such and all my systems here
are
>clean. Is there anything IPSwitch can detail about this???
Ipswitch can't do anything about it. It's a form of DoS attack; it can
only really be lessened by your upstream. The virus connects to web
servers, and sends about a dozen different HTTP requests to try to break
in
to the web server. These servers are connecting to your server, but
since
you have IMail answering port 80 (rather than the default 8383, which
the
virus likely won't find), IMail gets hit.
-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
IMail. http://www.declude.com
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
