'Re: Alert: Nimda cleansing information'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Re: Alert: Nimda cleansing information
From:       Edward York <ed () 724HOSTING ! COM>
Date:       2001-09-20 3:27:23
[Download RAW message or body]

I just wanted to pass on the word on some info I have discovered after =
my BDC was infected.

If your NT4.0 server is a BDC, then the guest account is not enabled and =
the open shares are not created. It appears from what everyone else is =
saying that only PDC's and stand alone servers are affected with the =
open share and guest account problem.

I assume the reason is that all access to a BDC is controlled by the PDC =
so if the PDC is not infected, then these shares cannot be created.

On another note, the AV vendors are indeed not perfect.
The VirusScan programs, at least by McAfee, appears to miss files once =
and a while. I have run McAfee several times now and the files found =
that are infected are fewer and fewer with each pass.
99% of the 10,000+ files infected on my server were caught the first =
pass. The 2nd pass resulted in only about 400 infected files and the 3rd =
pass resulted in only about 200 remaining.
I have confirmed through careful observation that at least on my server, =
the files are not being re-infected and that indeed the remaining files =
were missed. This was confirmed by running a search of files modified on =
9/18/01 when my server was infected. Search results before the 3rd AV =
pass did show about 200 files that had the original infection date and =
time stamp.

My suggestion. Run the AV several times to be sure you catch all the =
infected files.

Still one last note. This server that was infected was protected with =
MS01-033 and the Post SP6a rollup. Nothing new has been installed on =
this server in months so I do not believe some other application has =
overwritten patched files. MS01-044 had not been installed, but I =
believe the PostSP6a rollup and MS01-033 should have prevented =
infection. This leads me to believe that it is possible that another =
security hole exists, but has not yet been discovered. Just speculation =
and I would like to hear if anyone else has been infected even with the =
patches installed.

Regards,
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/
Edward York - Vice Pres/CTO
724 Hosting - www.724hosting.com
Windows NT/2000  Web Hosting,
Advanced Linux Web Hosting,
Dedicated  & Co-location Services
e-mail: ed@724hosting.com
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic