Symantec also provides a 'removal tool' which may help. They also have a fairly
extensive list of what Nimda does and you can then manually remove anything the
automated tool may have missed. I would also suggest that you review your COMPLETE
security policies and holes by running a tool such as NESSUS. You may find it
eye-opening.
Sincerely,
Philip Bardaville
UNIX Network Engineer
GLTG
-----Original Message-----
From: Javier Otero [mailto:[EMAIL PROTECTED]]
Sent: Fri 4/19/2002 12:09 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc:
Subject: RE: nimda fun in linux/win2k network
Go to www.antivirus.com and use the free scan.
Javier Otero
Grupo Smartekh
Antivirus Expertos
Business Continuity
Inftegrity
Investigación y Desarrollo
5243-4782/83/84
México, D.F.
-----Mensaje original-----
De: joe vano [mailto:[EMAIL PROTECTED]]
Enviado el: jueves, 18 de abril de 2002 12:30
Para: [EMAIL PROTECTED]
Asunto: nimda fun in linux/win2k network
Okay, here's the deal:
My boss set up a win NT box with IIS running on it to do work for a
customer. Now my boss is an excellent programmer and knows his way around
linux, but Windows eludes him. Within 24 hours of the NT box's
installation, Nimda.E is everywhere on the network. We didn't have a good
AV solution because its never been a problem before.
We run linux file servers and Win2k Pro desktops (for the business guys).
Of course, Nimda.E doesn't bother the linux servers one iota, but it played
havoc w/ the windows boxes. We have the desktops cleared up by using Norton
AV.
Now to the real problem:
The desktops are cleared and protected now, but the file server space keeps
getting chewed up by copies of the worm. Also, having an uncontained worm
on the file servers is no good for my sleeping habits. How the heck can I
get Nimda off my fileserver?
I've tried to scan and clear the windows-mountable shares by running Norton
AV 2001 on my win2k desktop, but I can't seem to quarantine or delete any of
the thousands of infected files. I'm thinking I might try to rm -rf *.eml
from the root directory, but a nagging doubt is telling me that this might
be a bad thing. A) It might delete perfectly good files B) Only most of the
infected files are .eml; some are infected .exe
If you're still reading by this point, I need some more advice if you are
willing to impart it: One of my other bosses has already given me the
go-ahead to get quotes for Norton Anti-virus Corporate 7.6. Now, this is
all well and good. It will PROBABLY keep this fiasco from happening again
(along w/ no IIS on a public IP in the office), but what if it does? Does
anyone know if NAV corporate can handle file servers running under linux
that are Windows mountable? I'm going to call Symantec about it, but
they'll surely pump me full of sunshine and send me on my merry way.
Thanks for your patience. I eagerly await your rely.
Sincerely Yours,
A glorified desktop support tect pretending he's a sys admin
_____________________________________________________________
Fight the power! BlazeMail.com
_____________________________________________________________
Run a small business? Then you need professional email like [EMAIL PROTECTED]
from Everyone.net http://www.everyone.net?tag
