RE: Is there any way to know for sure? More Nimda stuff.
Could this be a Win2k server with an open Terminal Service session? You can look thru the IIS logs for successful (200) hits to root or cmd. -Original Message- From: Jay Woody [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 2:40 PM To: NT System Admin Issues Subject: Is there any way to know for sure? More Nimda stuff. Maybe I am being paranoid. I have a server that the eeye scanner says is not vulnerable, I don't see any .eml files on it and when I scan for files changed since the 18th, there are no .exes. However, when I look at the task list, it shows 2 CMD.EXEs open. I have one open but not two. Am I being weird here? The second CMD.EXE un-nerves me, but I can't find any other sign of infection. Is there any one, sure fire way to KNOW that the box has been hit? Is there one registry entry or file or something that the virus ALWAYS does so I can see if the box is hit? I am thinking about re-building it, just in case, but if I can leave it up, I would obviously prefer that. Any ideas? JayW http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Is there any way to know for sure? More Nimda stuff.
What does the guest account look like? Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Jay Woody [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 2:40 PM To: NT System Admin Issues Subject: Is there any way to know for sure? More Nimda stuff. Maybe I am being paranoid. I have a server that the eeye scanner says is not vulnerable, I don't see any .eml files on it and when I scan for files changed since the 18th, there are no .exes. However, when I look at the task list, it shows 2 CMD.EXEs open. I have one open but not two. Am I being weird here? The second CMD.EXE un-nerves me, but I can't find any other sign of infection. Is there any one, sure fire way to KNOW that the box has been hit? Is there one registry entry or file or something that the virus ALWAYS does so I can see if the box is hit? I am thinking about re-building it, just in case, but if I can leave it up, I would obviously prefer that. Any ideas? JayW http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Is there any way to know for sure? More Nimda stuff.
Both Trend and Symantec have a Nimda cleaner. You may want to run that. Then do a virus scan -Original Message- From: Jay Woody [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 11:40 AM To: NT System Admin Issues Subject: Is there any way to know for sure? More Nimda stuff. Maybe I am being paranoid. I have a server that the eeye scanner says is not vulnerable, I don't see any .eml files on it and when I scan for files changed since the 18th, there are no .exes. However, when I look at the task list, it shows 2 CMD.EXEs open. I have one open but not two. Am I being weird here? The second CMD.EXE un-nerves me, but I can't find any other sign of infection. Is there any one, sure fire way to KNOW that the box has been hit? Is there one registry entry or file or something that the virus ALWAYS does so I can see if the box is hit? I am thinking about re-building it, just in case, but if I can leave it up, I would obviously prefer that. Any ideas? JayW http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Is there any way to know for sure? More Nimda stuff.
It looks like a little guys head, with Grey skin, black hair, and a light blue shirt, but so does everyone else's account... (sorry, I couldn't resist. And it's Friday...) Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. -Original Message- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 2:44 PM To: NT System Admin Issues Subject: RE: Is there any way to know for sure? More Nimda stuff. What does the guest account look like? Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Jay Woody [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 2:40 PM To: NT System Admin Issues Subject: Is there any way to know for sure? More Nimda stuff. Maybe I am being paranoid. I have a server that the eeye scanner says is not vulnerable, I don't see any .eml files on it and when I scan for files changed since the 18th, there are no .exes. However, when I look at the task list, it shows 2 CMD.EXEs open. I have one open but not two. Am I being weird here? The second CMD.EXE un-nerves me, but I can't find any other sign of infection. Is there any one, sure fire way to KNOW that the box has been hit? Is there one registry entry or file or something that the virus ALWAYS does so I can see if the box is hit? I am thinking about re-building it, just in case, but if I can leave it up, I would obviously prefer that. Any ideas? JayW http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Is there any way to know for sure? More Nimda stuff.
Greatt. Steve Clark Clark Systems Support, LLC AVIEN Charter Member Who's watching your network? www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Sullivan, Glenn [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 2:53 PM To: NT System Admin Issues Subject: RE: Is there any way to know for sure? More Nimda stuff. It looks like a little guys head, with Grey skin, black hair, and a light blue shirt, but so does everyone else's account... (sorry, I couldn't resist. And it's Friday...) Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. -Original Message- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 2:44 PM To: NT System Admin Issues Subject: RE: Is there any way to know for sure? More Nimda stuff. What does the guest account look like? Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Jay Woody [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 2:40 PM To: NT System Admin Issues Subject: Is there any way to know for sure? More Nimda stuff. Maybe I am being paranoid. I have a server that the eeye scanner says is not vulnerable, I don't see any .eml files on it and when I scan for files changed since the 18th, there are no .exes. However, when I look at the task list, it shows 2 CMD.EXEs open. I have one open but not two. Am I being weird here? The second CMD.EXE un-nerves me, but I can't find any other sign of infection. Is there any one, sure fire way to KNOW that the box has been hit? Is there one registry entry or file or something that the virus ALWAYS does so I can see if the box is hit? I am thinking about re-building it, just in case, but if I can leave it up, I would obviously prefer that. Any ideas? JayW http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Is there any way to know for sure? More Nimda stuff.
ROFLGood one! -Original Message- From: Sullivan, Glenn [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 11:53 AM To: NT System Admin Issues Subject: RE: Is there any way to know for sure? More Nimda stuff. It looks like a little guys head, with Grey skin, black hair, and a light blue shirt, but so does everyone else's account... (sorry, I couldn't resist. And it's Friday...) Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. -Original Message- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 2:44 PM To: NT System Admin Issues Subject: RE: Is there any way to know for sure? More Nimda stuff. What does the guest account look like? Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Jay Woody [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 2:40 PM To: NT System Admin Issues Subject: Is there any way to know for sure? More Nimda stuff. Maybe I am being paranoid. I have a server that the eeye scanner says is not vulnerable, I don't see any .eml files on it and when I scan for files changed since the 18th, there are no .exes. However, when I look at the task list, it shows 2 CMD.EXEs open. I have one open but not two. Am I being weird here? The second CMD.EXE un-nerves me, but I can't find any other sign of infection. Is there any one, sure fire way to KNOW that the box has been hit? Is there one registry entry or file or something that the virus ALWAYS does so I can see if the box is hit? I am thinking about re-building it, just in case, but if I can leave it up, I would obviously prefer that. Any ideas? JayW http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
