Security Incidents mailing list archives

Re: Corrupted Directories, Intrusions, and Nimda Oh MY

From: "Lew E. Lefton" <llefton () math gatech edu>
Date: Thu, 8 Nov 2001 23:38:30 -0500 (EST)

I don't know if this will work, but you may try installing Cygwin (a Unix
environment on Windows).  Then from a bash shell type 

  rm -rf c:\tree\to\erase

Better yet, you should probably reinstall everything on a freshly
formatted drive from original media.  Then restore your own files from a
trusted (pre-nimda) backup.  Otherwise, who knows what other "goodies" are
hidden around your system now (keystroke sniffers, etc.)

Good Luck,
Lew Lefton

 -----------------------------------------------------------------------
| Lew Lefton, IT Director         | Phone:     (404) 385-0052           |
| School of Mathematics           | FAX:       (404) 894-4409           |
| Georgia Institute of Technology | e-mail:    llefton () math gatech edu  |
| Atlanta, GA  30332-0160         | http://www.math.gatech.edu/~llefton |
 -----------------------------------------------------------------------

On Thu, 8 Nov 2001, Drew E. Gilkey wrote:

Went on vacation for a week, come back to see that my email server is
reporting that its comepletely full. Look a little deeper into it and I
see that people have uploaded tons of MP3's, Warez, etc.. Wondering how
they got in I start to do a virus scan and bam... Nimda was found...
Unfortunately now I have tons of files on my system that cannot
seemingly be removed... 2000 thinks they dont exist, yet they do and
they are taking up disk space.. I have managed to get one of the
directories removed but the other ones contained tons of locked files,
weird directory structures that make the system think that the files nor
directory dont exist, plus permission problems... Anyone got a tool that
will allow me to just delete the directory and all the subdirectories
this stuff is in? Or any advice.. I have tried using the ASCII
characters, etc.. but I just cant seem to get them to delete.. I can
access the folders via FTP, but when i try to delete them the OS cannot,
not can I download anything in the folder.
 
--Drew Gilkey
Dgilkey () libenn com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Corrupted Directories, Intrusions, and Nimda Oh MY Drew E. Gilkey (Nov 08)
- Re: Corrupted Directories, Intrusions, and Nimda Oh MY Lew E. Lefton (Nov 08)
  - Re: Corrupted Directories, Intrusions, and Nimda Oh MY H C (Nov 09)
- Re: Corrupted Directories, Intrusions, and Nimda Oh MY Mike Lewinski (Nov 09)
- Re: Corrupted Directories, Intrusions, and Nimda Oh MY Mike Shaw (Nov 09)