My IIS log files show traces of a Nimda-like virus. Am I still infected?
My IIS log files show traces of a Nimda like virus: GET /scripts/%5 etc.
I have the current patches installed and my virus protection is up-to-date. I have even run the fix tools for Nimda and Code Red. Still the
entries in the log files appear. Can you help me get rid of these?
These requests are normal, and occur regardless of whether you are
vulnerable. In fact, you'll see those requests even if your Web server
is running Linux and Apache. So, there's no reason to be alarmed. I
still see about 1200 attacks per day on my personal Web server. Attacks
on my Web site can be viewed here, if you're curious:
One way to secure your site *and* remove the requests from the log is to
install Microsoft's URLScan utility, available here:
I highly recommend installing URLScan--it's an excellent way to prevent
infection by future worms and viruses.
This was first published in October 2001