Security Incidents mailing list archives
Nimda and samba, chap II (20010531?)
From: Chip Mefford <cmefford () avwashington com>
Date: Wed, 19 Sep 2001 00:21:02 -0400
Well, it's been a few hours now that I have been messing with it. It isn't all that easy to clean up, even with the new definition tables, F-prot linux scanner will report clean with clearly infected .eml(s) laying everywhere. Norton isn't much better running over a mounted drive from a win2K box. RAV antivirus is about the only scanner i've found thusfar that has the horsepower to clean this thing up. If you had an infected host connected to your samba server, you have infected files in every directory writable by the user on that host. These files are probably .dll(s) and .eml(s) but i have seen other extentions like .wml Also, the file names seem to be datasource*.eml but they may also be 20010531.eml (it's that old!) or they may be random strings of integers with a .eml or .wml extension. And they will be EVERYWHERE possible. This thing isn't fun. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Nimda and samba, chap II (20010531?) Chip Mefford (Sep 18)
- Re: Nimda and samba, chap II (20010531?) Kris Carlier (Sep 19)