 |
 |
Before you go scrubbing and rebuilding your server again I would recommend throughly checking your workstations. Nimda is not a server-only worm like it's predecessosr that exploited the same IIS vulnerability. There is a very potent desktop component that spreads via network shares, email and infected web documents. If you have an infected workstation that has access to your server it is possible it is the culprit. We went a couple rounds with nimda when it first emerged. Look for .eml files on your server and workstations. These are the file types we saw generated in copious quantities when we got hit. Here's Network Associates blurb as well: http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 Good luck. If this is a duplicate I apologize. I don't have an entry in my sent log so I'm sending it again. Peter Chin Network Administrator Office of the Controller Michigan State University 146 Administration Building East Lansing, MI 48824 Ph. (517) 353-4443 Fx. (517) 353-1046 >>> [log in to unmask] 11/01/01 03:34PM >>> I feel for you. I have some friends in NYC who, in addition to all the nuts things going on there have had to deal with Nimda as well. They're conclusion was that they didn't trust *any* cleaning solution completely, and did a scrub, reinstalling from the original CDs. I'm not sure if this applies in this case, but how do you know your backup isn't tainted? It kind of sounds that way to be, paranoid that I am. (If Nimda didn't come out 'till after 9/8 then this isn't likely). You might want to try another reload from the 9/8 backup, then reapply all the patches again, after verifying the right order (or no order?). If that still fails, I'd reinstall from your original media. You might also want to look at securityfocus.com, and their mailing list archives. Bugtraq has been a great place for Windows problems in the past. I have not kept up with it for a while now, but I can't imagine they aren't still a great place to glean information. --STeve Andre' (Political Science) At 03:11 PM 11/1/01 -0500, Gerard M Hoxsey wrote: >Very frustrating. bard.cal.msu.edu is my box. It was hit by nimda in >september. >It was formatted and reloaded from a sept 8 backup, fully patched according to >microsoft downloads and yet it has been exploited again. I am obviously >missing >something but I don't know what. I had noticed unusual activity and had >the box >off the wire before Gene's email went out. I was probed by 210.178.12.111 and >35.8.195.55 but my log shows 404's so I don't know how the heck they got in. >Any help in buttoning this up would be much appreciated. > > >Michael Hoxsey >Network Admin >Arts and Letters