FW: Help with Nimda.E?

From: Matt Beck (Mbeckat_private)
Date: Thu Nov 01 2001 - 08:56:29 PST

Next message: H C: "Posting to Incidents list, was: Re: Help with Nimda.E?"

Previous message: mstevensonat_private: "Strange kernel happenings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello list,

Sorry to reply to my own message but I wanted to publicly thank all of you
that gave me advice and add an interesting note.  You were very helpful.

Also, I located the source of the breach.  It turns out that the first
system hit had Code Red II on it.  (Apparently it was not properly cleaned
when we went through that problem.)  It then got compromised by the new
Nimda and, well...

So once again, my thanks to those of you that replied with help.  I'm very
appreciative.

Good luck,
	Matt

-----Original Message-----
From: Matt Beck [mailto:Mbeckat_private]
Sent: Wednesday, October 31, 2001 1:30 PM
To: 'incidentsat_private'
Subject: Help with Nimda.E?


Hello all,

I haven't determined how yet, but one system on my dmz was unpatched.  Of
course, it got hit by Nimda.e.  This new variant is now propagating like mad
through the shares.

Given the nature of the environment, I am having trouble containing and
removing it.  Any suggestions?  I have 50+ NT/2k servers on the dmz LAN.
There is a master domain that all other domains trust.  Servers in each
domain require shares to function.  Permissions are highly entangled.  All
servers (but one apparently) are patched against the IIS vulnerability, but
the shares remain open.

I have tried Symantec's new scanner and the web A/V tool at antivirus.com,
but neither seem to get it all.  As soon as someone logs in to the "clean"
box, snort detects outbound attacks.  I am shutting down all non-essential
systems, but some are going to have to keep running.

Please contact me off list for more details or on list with solutions.

Thanks,
	Matt

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "Posting to Incidents list, was: Re: Help with Nimda.E?"
Previous message: mstevensonat_private: "Strange kernel happenings"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 09:18:43 PST