Re: Help with Nimda.E?

From: Zlatko Ignjatovic (klajaat_private)
Date: Thu Nov 01 2001 - 00:14:41 PST

Next message: Chris Brenton: "Re: Should I be concerned about? (long reply, grab a sandwich)"

Previous message: Russell Fulton: "Nimda.E having an impact ??"
Next in thread: H C: "Posting to Incidents list, was: Re: Help with Nimda.E?"
Reply: H C: "Posting to Incidents list, was: Re: Help with Nimda.E?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I also had a similar situation (less workstations infected, though). First,
try to patch all the mashines, with the help of hotfix scanning tool from
Shavlik/Microsoft:

http://download.microsoft.com/download/win2000platform/Utility/3.2/NT45/EN-U
S/nshc32.exe

Then you should try nimdascn.exe from McAfee (this is the only one that
completely cleaned my machines):

http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/tools.asp#Nim
daScn

This combination helped me, can't say it's 100% the best, but it's worth a
try.

Wish you luck,
    Zlatko Ignjatovic
    Sys/Net Admin for Anox Software

----- Original Message -----
From: "Matt Beck" <Mbeckat_private>
To: <incidentsat_private>
Sent: Wednesday, October 31, 2001 8:29 PM
Subject: Help with Nimda.E?


> Hello all,
>
> I haven't determined how yet, but one system on my dmz was unpatched.  Of
> course, it got hit by Nimda.e.  This new variant is now propagating like
mad
> through the shares.
>
> Given the nature of the environment, I am having trouble containing and
> removing it.  Any suggestions?  I have 50+ NT/2k servers on the dmz LAN.
> There is a master domain that all other domains trust.  Servers in each
> domain require shares to function.  Permissions are highly entangled.  All
> servers (but one apparently) are patched against the IIS vulnerability,
but
> the shares remain open.
>
> I have tried Symantec's new scanner and the web A/V tool at antivirus.com,
> but neither seem to get it all.  As soon as someone logs in to the "clean"
> box, snort detects outbound attacks.  I am shutting down all non-essential
> systems, but some are going to have to keep running.
>
> Please contact me off list for more details or on list with solutions.
>
> Thanks,
> Matt
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Chris Brenton: "Re: Should I be concerned about? (long reply, grab a sandwich)"
Previous message: Russell Fulton: "Nimda.E having an impact ??"
Next in thread: H C: "Posting to Incidents list, was: Re: Help with Nimda.E?"
Reply: H C: "Posting to Incidents list, was: Re: Help with Nimda.E?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 08:37:20 PST