IIS infection prevention from W32.Nimda.A@mm/TROJ_NIMDA.A

From: Lee Robinson (lrobinson@SANDIEGOEMPIRE.COM)
Date: 09/18/01 

Message-ID:  <B1D7F0F6A3A47246B6693ADF84E0C2B55C91@psyclone.sandiegoempire.com>
Date:         Tue, 18 Sep 2001 14:58:12 -0700
From: Lee Robinson <lrobinson@SANDIEGOEMPIRE.COM>
Subject:      IIS infection prevention from W32.Nimda.A@mm/TROJ_NIMDA.A
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Go to Microsoft and install UrlScan:
http://download.microsoft.com/download/iis50/Utility/1.0/NT45XP/EN-US/Ur
lScan.exe

Read about it here:
<http://www.microsoft.com/technet/security/urlscan.asp>

As soon as I removed all files related to the thing and restarted IIS, a
whole barage of attackers were logged in IIS trying to do the same thing
and replace files. As soon as I installed UrlScan, it detected and
denied all the attacks. You can view the UrlScan log file as they occur.

======================================
Delivery co-sponsored by Trend Micro, Inc.
======================================
TREND MICRO SCANMAIL FOR EXCHANGE 2000 -- SECOND to NONE

If you are worried about email viruses, you need Trend Micro ScanMail for
Exchange. ScanMail is the first antivirus solution that seamlessly
integrates with the Microsoft Exchange 2000 virus-scanning API 2.0. ScanMail
ensures 100% inbound and outbound email virus scanning and provides remote
software management. Download a FREE 30-day trial copy of ScanMail and find
out why it is the best:
http://www.antivirus.com/banners/tracking.asp?siBI;$0&UL;=/smex2000
======================================

Relevant Pages