Security Incidents mailing list archives
Re: Help with Nimda.E?
From: "Zlatko Ignjatovic" <klaja () anoxsoft net>
Date: Thu, 1 Nov 2001 09:14:41 +0100
I also had a similar situation (less workstations infected, though). First, try to patch all the mashines, with the help of hotfix scanning tool from Shavlik/Microsoft: http://download.microsoft.com/download/win2000platform/Utility/3.2/NT45/EN-U S/nshc32.exe Then you should try nimdascn.exe from McAfee (this is the only one that completely cleaned my machines): http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/tools.asp#Nim daScn This combination helped me, can't say it's 100% the best, but it's worth a try. Wish you luck, Zlatko Ignjatovic Sys/Net Admin for Anox Software ----- Original Message ----- From: "Matt Beck" <Mbeck () GiantStep com> To: <incidents () securityfocus com> Sent: Wednesday, October 31, 2001 8:29 PM Subject: Help with Nimda.E?
Hello all, I haven't determined how yet, but one system on my dmz was unpatched. Of course, it got hit by Nimda.e. This new variant is now propagating like
mad
through the shares. Given the nature of the environment, I am having trouble containing and removing it. Any suggestions? I have 50+ NT/2k servers on the dmz LAN. There is a master domain that all other domains trust. Servers in each domain require shares to function. Permissions are highly entangled. All servers (but one apparently) are patched against the IIS vulnerability,
but
the shares remain open. I have tried Symantec's new scanner and the web A/V tool at antivirus.com, but neither seem to get it all. As soon as someone logs in to the "clean" box, snort detects outbound attacks. I am shutting down all non-essential systems, but some are going to have to keep running. Please contact me off list for more details or on list with solutions. Thanks, Matt --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Help with Nimda.E? Zlatko Ignjatovic (Nov 01)
- Posting to Incidents list, was: Re: Help with Nimda.E? H C (Nov 01)
- Re: Posting to Incidents list, was: Re: Help with Nimda.E? Dan Ellis (Nov 01)
- Re: Posting to Incidents list, was: Re: Help with Nimda.E? cambria (Nov 01)
- RE: Posting to Incidents list, was: Re: Help with Nimda.E? Steve (Nov 01)
- Re: Posting to Incidents list, was: Re: Help with Nimda.E? Dan Ellis (Nov 01)
- Posting to Incidents list, was: Re: Help with Nimda.E? H C (Nov 01)
- <Possible follow-ups>
- FW: Help with Nimda.E? Matt Beck (Nov 01)