Re: Am i safe now?

From: BB (Bernard_at_3exp.com)
Date: 01/23/03


From: "BB" <Bernard_at_3exp.com>
Date: Thu, 23 Jan 2003 10:06:14 +0800

1) Yes you are safe from Nimda and CodeRed
     No on other virus - coz we don't know the pattern yet :)

2) When you see such log, you should try to find
    out where is coming from. say this one is from pd9009992, right ?
    so report it to them. I bet they don't even know they infected.

3) More resource on securing IIS.
Resources for Securing Internet Information Services
http://support.microsoft.com/?id=282060
http://securityadmin.info/faq.htm#harden
http://securityadmin.info/faq.htm#firewall

4) Apache ? I have zero knowledge :)

Rgds.

"kaineo" <kaineo@punkass.com> wrote in message
news:1043283688.86558.0@doris.uk.clara.net...
> Info on me
> Win2k SP3 done all the windows updates IIS5
> ran IISlockdown and
> Microsoft Baseline Security Analyzer got all oks on that one
> and 2 firewalls and anti-virus software (updated about every 3 days or
so )
>
> What i want to no
>
> Hi all im runing apache2 as a front end server but now i need to use .asp
so
> want to start IIS5 again
> i look @ my apache log every day and theres all ways some nimda trys in
> there (see below)
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:15:40 +0000] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:15:44 +0000] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:15:48 +0000] "GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
> stem32/cmd.exe?/c+dir HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:15:50 +0000] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:15:54 +0000] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:15:58 +0000] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:16:01 +0000] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:16:03 +0000] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 1008
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:16:06 +0000] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 1008
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:16:10 +0000] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1081
> pd9009992.dip.t-dialin.net - - [22/Jan/2003:21:16:17 +0000] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1081
>
> i have ran IISlockdown and then deleted the /scripts/ ,/MSADC/ and other
> Vdir in Internet Services Manager
> my Question is am i safe from the nimda virus and others ???
>
> If so thank you for taking the time to read this post and leting me know
im
> ok
> If not thank you for looking @ this post and hopeley help me out make my
> server safer and better
> kaineo
> P.s I will be runing IIS on port 8080 if this is need to be known
> P.p.s when i do get nimda hits like above what shud i do try and contact
the
> server owner that the hits are coming from ? ive seen some code that i can
> add to my apache config that will shut down the server that is infected
with
> nimda ? can this be done ?
>
> Thanks again
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.445 / Virus Database: 250 - Release Date: 21/01/2003
>
>



Relevant Pages

  • strange attractors or weaknesses in Nimdas prng
    ... I recently noticed that one web server on campus was ... getting more than its fair share of nimda traffic. ... Thus the prng in Nimda ... degenerate cycles which are the same for all copies of Nimda. ...
    (Incidents)
  • Am i safe now?
    ... Win2k SP3 done all the windows updates IIS5 ... Hi all im runing apache2 as a front end server but now i need to use .asp so ... my Question is am i safe from the nimda virus and others ??? ... add to my apache config that will shut down the server that is infected with ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS Seperate Partition?
    ... >many variants that came after the original Nimda. ... >Response as well as server support at the time of Nimda so I have vivid ... servers I managed had configs as I've described in this thread and ... >of Nimda simply misconfigurations from an IIS perspective. ...
    (microsoft.public.inetserver.iis.security)
  • Re: exploited win2k box, not quite sure how:
    ... The second thing I would look for is to make sure that the IIS ftp server ... If you have nimda droppings on ... The last one I would check Has the SA account on SQL server had a password ...
    (Incidents)
  • Re: IIS Seperate Partition?
    ... Nimda did NOT depend on Code ... My recollection was that the CR backdoors were one of the ... Response as well as server support at the time of Nimda so I have vivid ... of Nimda simply misconfigurations from an IIS perspective. ...
    (microsoft.public.inetserver.iis.security)