Hey all,

I posted on this forum once about a bunch of entries in my Webserver error logs that were pretty much accepted as being due to other servers infected with nimda or code red. Recently I've checked my logs and as might be expected I'm still being scanned but I've found entries where my Linux server is being scanned in the same manner from a machine on my internal network. It happens to be the only Win2k machine on my entire network but it is completely patched and IIS isn't running. I've scanned my Win2k machine for both of the "viruses" and both scans have come up negative.
Anyone know why there might be scans on my webserver from a machine that not only is running ZoneAlarm but is behind a router/firewall where there are only two ports open and they're both forwarded to my Linux machine?

Joe

Joe, seem to remember a good article on nimda saying it was a smart virus inasmuch as it had several methods of infecting a machine unlike the normal single mode ones. Its possible it still there, just not in the form you expect??
Try a google on it. I could be wrong of course.. ;)

does it have a cmd.exe, root.exe or toor.exe in the IIS tree?

Originally posted by baldguy
does it have a cmd.exe, root.exe or toor.exe in the IIS tree?

IIS isn't running on the Win2k machine.

Joe

Well the only explanations I know of getting those get requests from a windows box is infection by nimda, code red, or one of the variants. If IIS isn't running that leaves nimda and variants. You might be the proud recipient of a new virus that will bring the windows world to it's knees (again). Either way if you have a virus, then you should check to see if those files are present even if IIS isn't running.

Wise advice, I'll keep my eyes peeled.
Thanks Baldguy.

Joe