iis and w32.nimda.A@mm (dr) -- iis security

alec pringle
7/11/2003 6:31:52 PM

I need some help please. After I reinstalled iis there is
a process that creates files (tftpxxxx, where x is a
random number). As these file are created Norton detects
them and deletes them with a warning message for each
(probably 100 times a day). This process kicks off
ramdomely as far as I can tell. The files are created
in /Inetpub/Scripts/.

I can see the process (tftp.exe) start using Task
Manager. Sometimes there will be 7 or 8 of these
processes running, each creating a new file that Norton
flags. I have deleted tftp.exe from /winnt/system32, but
each time I reboot, it is recreated somehow.

I downloaded a tool from Norton to remove this virus, but
it only remove the infected fttpxxxx file, not WHATEVER IS
CREATING THEM.

If I remove IIS, it goes away, but I need it.
ANY SUGGESTIONS?

Thanks

Karl Levinson [x y] mvp
7/12/2003 4:16:36 PM

Write down the exact virus name being reported, look up the virus at
www.sarc.com in the virus database and see what vulnerability allows it to
get onto your system and . No doubt you are missing lots of patches [see
www.windowsupdate.com to get the latest patches in one shot] and also have
not chosen the correct configuration for your computer to secure it [see
www.microsoft.com/technet/security for the baseline hardening checklists for
starters, followed by http://securityadmin.info/faq.htm#harden for other
things you might want to do].

Those single use tools you downloaded are behaving exactly as expected.
They offer absolutely zero protection against immediate reinfection. If your
antivirus isn't protecting you against a virus, you need to figure out why
and get it working, not go to a workaround.

[quoted text, click to view]

iis security : iis and w32.nimda.A@mm (dr)