General discussion

Locked

Stopping a worm?

By jbrewer ·
In my IIS logs, there are repeated GET commands looking for command.com and scripts/root.exe. At one point, there were also GETs that were trying to deface our webpage which I tracked down as being the SADMIND/PoisonBox worm. These have stopped, just the continual attempts to get files remain. According to the SADMIND info, this worm comes in thru port 80, which I can't shut down due to http needing to be open. I've applied every patch, lockdown tool, update and fix on the OS, IIS and ViruScan I could find. And yet I still get theses constant attempts. We have had no damage to any files that I know of, we're just suffering some slow downs on the server. I'm new to webservers and worms and such, so I'd be very grateful for any help at all as to what I should do now. We've toyed with the idea of using another port instead of 80, but that would involve a great deal of work- including rewriting some code. Please Help!?!
Thanks, Jamie

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Stopping a worm?

by TPrinzo In reply to Stopping a worm?

not everyone is as thorough as you. It sounds like you are fine, the problem is someone elses server has the worm and is looking for an unprotected server to infect.

I was having the same problem the offending IP was close to mine so I contacted my ISP and had them track the owner down. I am sure there are other who can tell you more direct ways of finding them

Hope that helps a little

Collapse -

Stopping a worm?

by jbrewer In reply to Stopping a worm?

Poster rated this answer

Collapse -

Stopping a worm?

by Joseph Moore In reply to Stopping a worm?

A useful strategy I use on web servers is I run NETSTAT from the command prompt. It is a standard network tool that comes with Windows. It will list all connections made to and from a Windows machine, including IP addresses and the ports they are using.
So, I would check over your IIS logs to see when the GET requests are going on. When they are, open a command prompt and type in NETSTAT.
Look for Established connections (it will say ESTABLISHED under the State column). These are the connections that are active right at that moment. Now, it sounds like you will need to weed out the valid connections to port 80, so it might take a little while of looking. Netstat does not run constantly. You would have to run it several times in a row, while looking at your IIS logs, to pinpoint the IP address and port connection at the exact time the IIS logs say the GET requests are going on.
You would then have the IP address of the machine(s) doing the GET.
With the IP, you can see if it is in your network, or somewhere else. If somebody else, you can try to look them up (do a NSLOOKUP on the IP address to get a domain name, then do a WHOIS lookup on the domain to get the Technical or Billing or Administrative contacts) and e-mail them.
Hope this helps.

Collapse -

Stopping a worm?

by jbrewer In reply to Stopping a worm?

Poster rated this answer

Collapse -

Stopping a worm?

by jbrewer In reply to Stopping a worm?

This question was closed by the author

Back to Windows Forum
5 total posts (Page 1 of 1)  

Related Forums