Re: Am i safe now?

From: BB (Bernard_at_3exp.com)
Date: 01/23/03


From: "BB" <Bernard_at_3exp.com>
Date: Thu, 23 Jan 2003 10:06:14 +0800

1) Yes you are safe from Nimda and CodeRed
     No on other virus - coz we don't know the pattern yet :)

2) When you see such log, you should try to find
    out where is coming from. say this one is from pd9009992, right ?
    so report it to them. I bet they don't even know they infected.

3) More resource on securing IIS.
Resources for Securing Internet Information Services
http://support.microsoft.com/?id=282060
http://securityadmin.info/faq.htm#harden
http://securityadmin.info/faq.htm#firewall

4) Apache ? I have zero knowledge :)

Rgds.

"kaineo" <kaineo@punkass.com> wrote in message
news:1043283688.86558.0@doris.uk.clara.net...
> Info on me
> Win2k SP3 done all the windows updates IIS5
> ran IISlockdown and
> Microsoft Baseline Security Analyzer got all oks on that one
> and 2 firewalls and anti-virus software (updated about every 3 days or
so )
>
> What i want to no
>
> Hi all im runing apache2 as a front end server but now i need to use .asp
so
> want to start IIS5 again
> i look @ my apache log every day and theres all ways some nimda trys in
> there (see below)
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:15:40 +0000] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:15:44 +0000] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:15:48 +0000] "GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:15:50 +0000] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:15:54 +0000] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:15:58 +0000] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:16:01 +0000] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:16:03 +0000] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 1008
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:16:06 +0000] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 1008
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:16:10 +0000] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:16:17 +0000] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1081
>
> i have ran IISlockdown and then deleted the /scripts/ ,/MSADC/ and other
> Vdir in Internet Services Manager
> my Question is am i safe from the nimda virus and others ???
>
> If so thank you for taking the time to read this post and leting me know
im
> ok
> If not thank you for looking @ this post and hopeley help me out make my
> server safer and better
> kaineo
> P.s I will be runing IIS on port 8080 if this is need to be known
> P.p.s when i do get nimda hits like above what shud i do try and contact
the
> server owner that the hits are coming from ? ive seen some code that i can
> add to my apache config that will shut down the server that is infected
with
> nimda ? can this be done ?
>
> Thanks again
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.445 / Virus Database: 250 - Release Date: 21/01/2003
>
>