From owner-freebsd-security  Wed Sep 19 23:28:21 2001
Delivered-To: freebsd-security@freebsd.org
Received: from smtp012.mail.yahoo.com (smtp012.mail.yahoo.com [216.136.173.32])
	by hub.freebsd.org (Postfix) with SMTP id D732437B41A
	for <freebsd-security@freebsd.org>; Wed, 19 Sep 2001 23:28:17 -0700 (PDT)
Received: from unknown (HELO RAMBUS) (216.179.225.200)
  by smtp.mail.vip.sc5.yahoo.com with SMTP; 20 Sep 2001 06:26:44 -0000
X-Apparently-From: <drtebi@yahoo.com>
Message-ID: <004e01c1419d$3dfdd200$c8e1b3d8@liquidground.com>
Reply-To: "DrTebi" <drtebi@yahoo.com>
From: "DrTebi" <drtebi@yahoo.com>
To: <freebsd-security@freebsd.org>
Subject: How Nimda can effect Samba users
Date: Wed, 19 Sep 2001 23:26:54 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

like a little child I had to touch the hot plate.

I am using 4 FreeBSD servers, and one win98 machine as my "GUI". Using the
win box, I went to a website that (according to my logs) seemed infected
with the Nimda virus. A popup window came up, I closed it, felt weird things
were going on, and I was right. A process tool for windows showed a process
running that I did never notice before. I shut it down immediately, updated
my virus scanner (InoculateIT), and did a full scan. The virus scanner was
up to date and found a few files infected by "Nimda".

- What happened with Samba
To ease my work I use a Samba server and share the htdocs directory. Nimda
immediately copied files into every share listed in my Network, and in
subfolders of those. These files are typically

coins.eml
vendors.eml
wt10us.eml
start.eml
test.nws

Oh well, it seems like that's all it could do to the FreeBSD servers.
Supposedly the virus also infects html files, adding a little <SCRIPT> thing
to the end of each. This was not true for my case. However, I now had 50MB
of unnecessary files on my drives.

- What I suggest to do
Clean up your windows box first. Most vendors should have updates for their
anti-virus software by now. For detailed information on how Nimda works,
check out this page:
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

To clean up all those laim .eml files, the easiest way is probably to search
each of your network shares for files that are have been modified within the
last day. I simply used windows "Find" tool, selected e.g. \\TIGGER\htdocs\
as share, then chose the date tab and finally "Find all files - Modified -
during the previous 2 days".
You should get a list of all the .eml and .nws files; sort the list by
"Type" and do SHIFT+DELETE.

Sorry if this sounds like a "windows for dummies tutorial," but I feel to
share this with those who are using Samba on FreeBSD, and had their Windows
box infected.

cheers,
DrTebi


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message