|
Is it possible that your Windows machines have Samba based drive mappings
into your Linux box? I know nimda could propigate through
shares like that and would end up all over your Unix machine.
I'm sorry if this possibilty was already mentioned - I tuned into this
late.
I had a Novell server that was polluted with nimda in this manner.
The Novell wouldn't run the nimda logic but it got tons of the eml files dumped
on it by the windows hosts that map drives to its storage volumes.
I bet there will be a nimda variant that destroys data agressively sometime
soon.
Chris Gruenwald BaysideNetworks.com, Inc. 9590 Chesapeake Drive Suite 104 San Diego, CA 92129 858 654 4080 858 654 4085 fax www.baysidenetworks.com email: chris@baysidenetworks.com
c >>> gotissues68@yahoo.com 09/23/01 09:12PM >>>
I tried to do some more investigation as to what the deal was with Nimba, I'm not sure where the infection started, but I can say this is a wiley little bastard. I reported yesterday to have cleaned a majority of my Linux system off, well I check today and its back again! I've come to the determination that my entire network needs to come offline and unfortunately my AV isn't finding the virus, so format/reinstall here I come. I just wanted to let everyone know it appears this thing doesn't just attack windows now.. here is the message I attempted to send last night .. but it never made it apparently. Drew Well I got home and did some investigation and here's what I can find and know for now.. it managed to write to all the bb directories. In addition it wrote *.eml files to the home directory and every user directory within it. It also infested the /var directory and everything associated with it (ie sub directories) but thats it. I had a firewall running on one of my Windows boxes and I did happen to notice alot of netbios requests (more then usual) over the last few days, so its hard to say when this thing attacked my server. I am running apache for win32 ont his machine and it appears nothing was compromised as was nothing on my Macintosh or my other 2 windows boxes, one of which had a shared drive the other did not. I don't think there was any "damage" done however if bb hadn't emailed me about it I would have never noticed :) I'm in the process of cleaning all the files off my box as we speak, I don't see alot of un-expected traffic so i don't think its scanning a subnet looking for an IIS hosts, but I can't say that for sure, alot of traffic comes in and out of this one box, so its hard to track in that respect. More as I find it.. well lets hope I don't have more to find ;-) -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-= To unsubscribe from this list, or to subscribe to the bb-digest list send e-mail to mailto:majordomo@bb4.com with unsubscribe bb -and/or- subscribe bb-digest in the BODY of the message. |