Is there anyone out there having this problem that is not running IIS on
their IMail box? We got hit on Tuesday like everyone else, but IMail runs on
a server by itself. No IIS. I am seeing a lot of malformed header requests
in the logs and some BRO*.tmp files in my spool directory. It is causing web
messaging to crawl, but other than that I have not seen what everyone else
seems to be seeing. No other characteristics of the Nimda virus...
Ipswitch support was quick to point the finger at the Nimda virus and said
to run a virus program and reload the web template files to fix it and that
has done nothing to help. I even went ahead and made the upgrade to v.7.03
last night and no progress. I have all of the virus definitions for Norton
and I've done a couple of system scans and all came up empty handed. Anyone
else seeing these BRO*.tmp files or is it just me?
----- Original Message -----
From: "ACarroll" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 20, 2001 9:02 AM
Subject: RE: [IMail Forum] New widespread virus: W32/Nimda-A; arrives wit h
readme.exe attachment
>
>
> Hello,
> One thing to look at with this virus, is it incoming or out going or
> both and what I mean by this is that Imail web server get a request by a
> malformed header, directory transversal or the request by a infected
> machine of (/d/winnt/system32/cmd.exe?/c+dir
> ../winnt/system32/cmd.exe?/c+dir /scripts/root.exe?/c+dir) and Imail
> answer by refreshing the page in my case with the killwebmail the
> response is bigger the attack. You should download www.wildpacket.com a
> packer sniffer or any packet sniffer (for any anal people out their) and
> see for your self. A solution to this is download Microsoft IIS filter
> here
> "http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu
> r
> ity/tools/URLscan.asp" and set up Imail to a different port than 80 and
> have IIS do a redirect to that port. This works and will solve a lot of
> problems with virus attacks not just this one. As you will see with the
> packet sniffer most of the attacks are from your providers own subnet
> whether it A,B or C with infected machine. So you may not be infected
> but you think you are. As in previous conversation the best help is to
> look in the INI file of this program for help it is well commented.
>
>
> Andrew
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry
> Sent: Tuesday, September 18, 2001 9:32 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [IMail Forum] New widespread virus: W32/Nimda-A; arrives
> wit h readme.exe attachment
>
>
> >It appears that web messaging is affected by this new virus also....I
> have
> >massive referrals from outside the system trying to get in through Web
> >Messaging and get to directories and the such and all my systems here
> are
> >clean. Is there anything IPSwitch can detail about this???
>
> Ipswitch can't do anything about it. It's a form of DoS attack; it can
> only really be lessened by your upstream. The virus connects to web
> servers, and sends about a dozen different HTTP requests to try to break
> in
> to the web server. These servers are connecting to your server, but
> since
> you have IMail answering port 80 (rather than the default 8383, which
> the
> virus likely won't find), IMail gets hit.
>
> -Scott
> ---
> Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
> IMail. http://www.declude.com
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
