October 12th, 2002, 07:12 AM
Windows 2000 running IIS- A lesson
I'm using a 2000 prof. with NAV right now. What i want to talk about refers about 3 to 4 weeks a go when i got my computer back from a technician.
My NAV picked up something and a message appeared in my screen saying that a file was being infected with nimda in one of the IIS files that I didnt know I had. I got the alert a second time and i started thinking what was wrong. I went to CMD and ran netstat, then i saw two IP's connected through a high port. I immediately shut the internet down (and believe it or not, i was on a 56k) then read my NAV logs. I saw that "access to the file was denied" and saw IUSR_STUDENT logged on trying to infect me. Also, I saw that they were connected through another account that was made for anonymous internet connections to my box. I ran my computer without checking to see what accounts were on the list. Then, I ran NAV and it cleaned the infection.
*Not everything that goes bad ends bad.
Lesson- Before you go to the internet after you get it from a technician, always check the settings.
#2- Even if your on a 56, be very cautious.
#3- Don't just "set and forget" programs, OS'es and anything that has configuration settings.
#4- If you're running IIS, be sure to put strong passwords, disable any accounts and patch your system immediately. <<and why i say that is because this happened a week just after i got my box fixed>>.
Since a lot of the members here use 2000 (probably), I'd suggest putting a tight security configuration even if your only a home user.