Nimda can infect through shares. One of our internal development website
(no outside access allowed per firewall rules) was hit through a D: drive
share. It had us puzzled as well. It was patched and had no firewall
access.
I'm still piecing it together, but this is what I believe happened. A
'weak' public web server was online and part of our domain. It was not
patched for the directory traversal exploit. It was infected with NIMDA.
Someone later logged into that particular machine with domain admin rights.
The virus then propagated to all shares on the network which allowed domain
rights.
Moral of the story for our group: don't trust any machines for which we are
not specifically responsible. I think the patch is from Dec' 2000, although
the 'cumulative' patch from Aug 2001 includes it. Eh, go figure.
A couple of good practices helped isolate the damage. The OS is parked on
C: which is not shared. All templates are on D:. As it turns out, we had a
ton of .eml files littered throughout the D: drive, but no dll mods on C:
nor none of the registry entries CERT listed. A simple restore on D: and a
good packet sniffer is all we have done for now. And of course we stripped
rights to the D: share down to the bone.
There was a debate on this mailing list on partitioning/not partitioning.
I'd chalk this up to a pretty hefty partitioning pro.
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Friday, September 21, 2001 6:37 AM
> To: CF-Talk
> Subject: RE: RE: Code Red backdoor triggered?
>
>
> Our people who are supposed to be maintaining the server
> swear all patches
> were in place and we still got hit. Can you please tell me
> exactly which
> patch you are referring to? I don't manage the box, but I
> sure as hell
> suffer if no one else does, either. I would like to follow
> up on this on
> this end. Thanks!
>
> JoAnn A. Schlosser
>
>
>
>
> This e-mail is intended solely for the person or entity
> to which it
> is addressed and may contain confidential and/or privileged
> information.
> Any review, dissemination, copying, printing or other use of
> this e-mail by
> persons or entities other than the addressee is prohibited.
> If you have
> received this e-mail in error, please contact the sender
> immediately and
> delete the material from any computer.
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
