> > You're learning the hard way what I've been saying for a long
> time, do NOT
> > put your mailbox server directly onto internet.
>
> Just out of curiosity, if an Imail server use to run IIS on it,
> but IIS has
> been disabled, will nimda and Code Red still see IIS on that server?
Doesn't matter if nimda and CR "see" IIS on that server. Whatever is
running on port 80 will be slammed by those DoS-style bogus GET requests.
The MO of these viruses is to hit port 80 on machines around the world,
trying to get in, and the best defense against the DoS is to either 1)
take webmail off port 80 or off the public internet altogether, or if you
can't do that, 2) drop suspected bogus GET requests at the border router.
If you're running webmail on port 80, and have logged enabled in web
messaging, take a look at your W2YYMMDD.log files in your spool directly
to get a direct look at the IPs and GET requests hitting you. Here's what
some look like (spaces added to prevent virus filtering):
20010921 000541 Socket Error - 216.228.64.107 Error while writing sockect
due to error 10054 or malicious connection type.
20010921 000541 Info - 216.228.64.107 GET / s c r i p t s /..%255c../w i
n n t / s y s t e m 3 2 / c m d . e x e ? / c + d i r H T T P /1.0.
20010921 000541 Request processed with no user agent and no referer.
The web messaging service has to WORK to handle those requests! On our
little-used dev server on our DSL network in our R&D office, the W2*.log
file on 9/17 was 99kb, and on 9/18 was 4MB, a 40X increase! Interestingly,
the majority of the IPs involved were from the same A- and B- classes as
our DSL service, so the choosing of attack targets is not completely
random. Yesterday the Web log file size was back down to about 800kb, so
it appears that the storm is subsiding as everyone around the world is
fixing their servers-run-amok, but it's a big heads-up that even though
you have protected your server against the virus, you still have to
protect it against DoS attacks propogated by the virus elsewhere.
Just FWIW... :)
Ron Hornbaker
President/CTO
. . . . . . . . . . . . http://humankindsystems.com
. . . . . . . . . . . . w e c o d e. w e c a r e.
______________________________________________________________________
The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc.
Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED]
Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4
To Manage your Subscription......... http://humankindsystems.com/lists
