Before you go scrubbing and rebuilding your server again I would recommend throughly checking your workstations.
Nimda is not a server-only worm like it's predecessosr that exploited the same IIS vulnerability. There is a very potent desktop component that spreads via network shares, email and infected web documents.
If you have an infected workstation that has access to your server it is possible it is the culprit. We went a couple rounds with nimda when it first emerged. Look for .eml files on your server and workstations. These are the file types we saw generated in copious quantities when we got hit.
Here's Network Associates blurb as well:
If this is a duplicate I apologize. I don't have an entry in my sent log so I'm sending it again.
Office of the Controller
Michigan State University
146 Administration Building
East Lansing, MI 48824
Ph. (517) 353-4443
Fx. (517) 353-1046
>>> [log in to unmask] 11/01/01 03:34PM >>>
I feel for you. I have some friends in NYC who, in addition to all
the nuts things going on there have had to deal with Nimda as well.
They're conclusion was that they didn't trust *any* cleaning solution
completely, and did a scrub, reinstalling from the original CDs.
I'm not sure if this applies in this case, but how do you know your
backup isn't tainted? It kind of sounds that way to be, paranoid that
I am. (If Nimda didn't come out 'till after 9/8 then this isn't likely).
You might want to try another reload from the 9/8 backup, then reapply
all the patches again, after verifying the right order (or no order?). If
that still fails, I'd reinstall from your original media.
You might also want to look at securityfocus.com, and their mailing list
archives. Bugtraq has been a great place for Windows problems in the
past. I have not kept up with it for a while now, but I can't imagine they
aren't still a great place to glean information.
--STeve Andre' (Political Science)
At 03:11 PM 11/1/01 -0500, Gerard M Hoxsey wrote:
>Very frustrating. bard.cal.msu.edu is my box. It was hit by nimda in
>It was formatted and reloaded from a sept 8 backup, fully patched according to
>microsoft downloads and yet it has been exploited again. I am obviously
>something but I don't know what. I had noticed unusual activity and had
>off the wire before Gene's email went out. I was probed by 220.127.116.11 and
>18.104.22.168 but my log shows 404's so I don't know how the heck they got in.
>Any help in buttoning this up would be much appreciated.
>Arts and Letters