Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

What virus could this be on my server?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Server Publishing >> What virus could this be on my server? Page: [1]
Login
Message << Older Topic   Newer Topic >>
What virus could this be on my server? - 24.Dec.2001 9:33:00 PM   
Jazzguy

 

Posts: 17
Joined: 4.Apr.2001
From: New York, NY, USA
Status: offline 		In a momentary lapse of security (20 minutes long) where I allowed all access through my ISA server, it was infected by Nimda (codered) virus. I verified this was the infection using Norton Antivirus Corporate Edition. I used a Symantec specific cleaning tool to remove the virus.

Now, I have a curious situation where Norton does not report any viruses to be found, but I think there is still one, or else a hacker has access to my network. I noticed that my external bandwidth was being used a lot. Then went to the ISA session monitoring screen, and found that there was a session named "anonymous" using the web proxy service. All my internal users have to log in by username, and they all have the firewall client installed on their machines. The source address of this "anonymous" client is 127.0.0.1, the internal loopback. I try aborting the session, but it reappears in 10 minutes.

Could this be a virus that is using the loopback IP to attack computers on the outside? Or would a function of some other aspect of Exchange Server or Exchange Conferencing Server, which I am also running, display this behavior?

Thanks and happy holidays to all.
Post #: 1
RE: What virus could this be on my server? - 26.Dec.2001 9:42:00 PM   
tshinder

 

Posts: 47668
Joined: 10.Jan.2001
From: Texas
Status: online 		Hi JG,

IIRC, if you get infected by NIMDA or code red, you should wipe the machine completely and start over with a good backup.

You can use Network Monitor on the ISA Server machine to see where the traffic is going to. That should give you the information you need to determine what the source and destination of these packets are.

HTH,
Tom

------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to Jazzguy)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Server Publishing >> What virus could this be on my server? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts