Date: Wed, 19 Sep 2001 23:26:54 -0700 From: "DrTebi" <drtebi@yahoo.com> To: <freebsd-security@freebsd.org> Subject: How Nimda can effect Samba users Message-ID: <004e01c1419d$3dfdd200$c8e1b3d8@liquidground.com>
next in thread | raw e-mail | index | archive | help
like a little child I had to touch the hot plate. I am using 4 FreeBSD servers, and one win98 machine as my "GUI". Using the win box, I went to a website that (according to my logs) seemed infected with the Nimda virus. A popup window came up, I closed it, felt weird things were going on, and I was right. A process tool for windows showed a process running that I did never notice before. I shut it down immediately, updated my virus scanner (InoculateIT), and did a full scan. The virus scanner was up to date and found a few files infected by "Nimda". - What happened with Samba To ease my work I use a Samba server and share the htdocs directory. Nimda immediately copied files into every share listed in my Network, and in subfolders of those. These files are typically coins.eml vendors.eml wt10us.eml start.eml test.nws Oh well, it seems like that's all it could do to the FreeBSD servers. Supposedly the virus also infects html files, adding a little <SCRIPT> thing to the end of each. This was not true for my case. However, I now had 50MB of unnecessary files on my drives. - What I suggest to do Clean up your windows box first. Most vendors should have updates for their anti-virus software by now. For detailed information on how Nimda works, check out this page: http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html To clean up all those laim .eml files, the easiest way is probably to search each of your network shares for files that are have been modified within the last day. I simply used windows "Find" tool, selected e.g. \\TIGGER\htdocs\ as share, then chose the date tab and finally "Find all files - Modified - during the previous 2 days". You should get a list of all the .eml and .nws files; sort the list by "Type" and do SHIFT+DELETE. Sorry if this sounds like a "windows for dummies tutorial," but I feel to share this with those who are using Samba on FreeBSD, and had their Windows box infected. cheers, DrTebi _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004e01c1419d$3dfdd200$c8e1b3d8>