Installed IIS 4.0 and now have Nimda virus 2

[joepalm]

I have just installed IIS 4.0 on my NT Server, within a few hours the Nimda virus has attacked our Server. We have shut down all Servers and Workstations and cleaned out the virus.

I am now to scared to start IIS again, we run SP 6.0, any advice much appreciated.

THANKS

Tony

 

[sleipnir214]

Assuming your network is clean (you've killed Nimda, removed all its traces from all machines with antivirus software or special-purpose cleaners)


If at all possible, install IIS not on c:, especially the default web site and any other virtual web servers you create. The directory traversal hacks don't work well across drive letters.

Also, when installing IIS, do not allow it to install the sample code. There are some security holes in there, too.

Install the "August 15th" security patch set for IIS:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-044.asp

If you have any machines in your network which are running any verion 5 of IE less than IE 5.5SP2, install this patch on them:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp

______________________________________________________________________
TANSTAAFL!

 

[joepalm]

Thank for your reply, I will re-install next week, wait for thing to settle down.

Thanks

 

[sleipnir214]

No prob.

What happened to you also happened to a Network World lab machine during the worst of the Nimda outbreak last year. The worm infected their machine during the 25 minutes it took for their machine to download the patch to prevent the worm.

If you can blow out the hard-drive on the server, I recommend you do so.

Also, download those patches from a machine which does not have IIS installed on it, then transfer the files to the IIS box. If you can arrange it, keep the IIS machine disconnected from any network until that security rollup patch is on it -- transfer the patch to the server by CD-ROM if necessary.

Also, some of the links in my post aren't working. Here's a stab at an improved link for the IIS security rollup patch:

http://www.microsoft.com/ntserver/n...loads/release.asp?ReleaseID=31240&redirect=no

______________________________________________________________________
TANSTAAFL!

 

[joepalm]

By "blow out" to you mean format?

Thanks

 

[joepalm]

OK this is the steps i am going top take to re-install IIS 4.0 on my NT Server.

1. Remove previous IIS installation

2. Download patches from a non-IIS computer.

3. Disconnect proposed IIS computer from network.

4.Install IIS on any other driver letter except C:

5.Do not install any sample code (not sure how to stop this)

6.Install downloaded patches.

7. Start IIS Services..

Thanks

Tony

 

[lck092580]

What u listed sounds about right but I would skip installing IIS on another drive if u REALLY want it on c (if not then go ahead and put it somewhere else). Just remember to isolate it when it's not patched up yet. Good luck.

T

 

[lck092580]

Have you ever thought about using host headers to prevent viruses like the code red worm from getting into ur servers with or w/o MS's patch?

T

 

[joepalm]

How do I use host headers to prevent viruses?

Thanks

 

[lck092580]

Here's a link:

http://www.iisanswers.com/articles/hinders_rant.htm

*Easier this way than me describing it".



Good Luck

T