[Date Prev][Date
Next][Thread Prev][Thread Next][Date
Index][Thread Index]
Re: Re: Virus
Having poked into things a bit more...
Looked at the IIS log files on the server (w2k), I saw dodgy URLs being
entered for my site. These then invoked root.exe (which had been left over
from a sadm virus that was not totally cleaned). A couple of seconds after
the external computer tried to fire up the IIS page, TFTP was invoked to
the
same address as the external browser (this was blocked by the firewall).
Went to the Microsoft site & downloaded the 'coderedcleanup.exe' which
removed the dodgy root.exe and tidied up a couple of other IIS things.
Everything seems to be fine... for the moment!
Lessons learnt:
It is valuable to have defence in depth - firewalls, virus guards, log
files
for review.
Backups are useful... but can be tricky to use if you are not sure when
exactly you were infected with the virus.
If you are running IIS, it pays to review your log files regularly.
hotfixchecker from Microsoft is useful to ensure you have all the
appropriate patches.
The time lost to virus attacks / fixes is a real PITA in a domestic
environment.
----- Original Message -----
From: <steve@xxxxxxx>
To: <ukha_d@xxxxxxx>
Sent: Sunday, September 23, 2001 10:43 AM
Subject: [ukha_d] Re: Virus
> If you are in win2k just look in taskman and see if anythingunusual
> is running.
> if there is strange stuff happening, end task it, then find it in you
> computer and delete it.
>
> if your on win98/95 and i think ME.
> you cant see "all" running processes, so i have a neat
little utility
> somewhere i made in VB which alows you to list ALL running processes
> and kill any of them, i think if i can find it, i will add, a kill
> and delete button aswell, or a kill and move button.
>
> interested?
>
> HTH steve
> --- In ukha_d@y..., "John McManus" <john.mcmanus@b...>
wrote:
> > I am in a difficult position as my virus scanner (NAV2001) does
not
> show
> > that I am infected, but the Zone Alarm Pro firewall suddenly
> (Wednesday)
> > started asking if I want to allow TFTP (trivial file transfer
> protocol) to
> > connect to the internet. I have also run a couple of the
'cleaner'
> programs
> > for Nimda virus... they too say I am not infected.
> >
> > Since I am not aware of any apps on the server that need to use
> TFTP (and
> > the addresses that it is going to are other BT Internet ones), I
> guess I
> > need to assume that I am infected with something and reformat /
> > re-install... a real PITA.
> >
> > Any thoughts would be appreciated.
> > ----- Original Message -----
> > From: "Brian G. Reynolds" <brian.g.reynolds@n...>
> > To: <ukha_d@y...>
> > Sent: Saturday, September 22, 2001 7:42 PM
> > Subject: RE: [ukha_d] Virus
> >
> >
> > > Thanks Keith,
> > >
> > > I am using Norton AntiVirus 2001 recently bought, I used its
own
> virus
> > scan
> > > routine, is there a better way?
> > >
> > > All the infected files were deleted.
> > > I do use it's auto update and do it manually as well.
> > >
> > > Thanks for the info.
> > >
> > > B.
> > > > -----Original Message-----
> > > > From: Keith Doxey [mailto:ukha@xxxxxxx...]
> > > > Sent: 22 September 2001 19:00
> > > > To: ukha_d@y...
> > > > Subject: RE: [ukha_d] Virus
> > > >
> > > >
> > > > Thats probably it.
> > > >
> > > > How did you run yor virus scan?
> > > > We ran it Windows "Find Files" containing the
text "whatever
> you care to
> > > > put" so that it was forced to open everyfile on
the machine, at
> which
> > time
> > > > the AV software should find the infected files.
> > > >
> > > > Make sure you keep your anti virus software upto date.
> > > >
> > > > At work we use VirusScan TC from McAfee.
> > > > The Dat file was at version 4158 at the beginning of
the week
> and by
> > > > yesterday had reached 4162.
> > > >
> > > > At home I use eTrust EZ Antivirus. Its Dat file has
gone from
> > > > 1491 on Monday
> > > > to 1512 yesterday.
> > > >
> > > > One of the worst things about Nimda is that YOU dont
have to do
> > > > anything to
> > > > catch it. I have no doubt that there will be several
more
> viruses
> > > > that mimic
> > > > the HTML method employed by Nimda, namely using
Javascript to
> Pop-Up a
> > > > window at coordinates that wont show on the screen and
then try
> to do
> > > > malicious things to your machine. Disabling Javascript
would
> stop that
> > but
> > > > would also stop many reputable web pages from working
and I
> > > > believe most, if
> > > > not all eCommerce sites would be less than useless if
you didnt
> support
> > > > Javascript.
> > > >
> > > > Once again a few idiots spoiling things for the
majority :-(
> > > >
> > > > Keith
> > > >
> > > > > -----Original Message-----
> > > > > From: Brian G. Reynolds [mailto:brian.g.reynolds@xxxxxxx...]
> > > > > Sent: 22 September 2001 15:33
> > > > > To: ukha_d@y...
> > > > > Subject: RE: [ukha_d] Virus
> > > > >
> > > > >
> > > > > Thanks Keith, I should have known that :-(
> > > > >
> > > > > All .eml deleted.
> > > > >
> > > > > I have run the virus scan again and it does not
find any mere
> > > > > does that mean
> > > > > all is ok again?
> > > > > Never had a virus before not sure when to trust it
again!
> > > > >
> > > > > I have already read the threads, I have re-SP2'd
and another
> MS patch
> > > > > q301625_w2k_sp3_x86_en.exe
> > > > > Anything else or can I now breathe again!!
> > > > >
> > > > > Thanks,
> > > > >
> > > > > B.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Keith Doxey [mailto:ukha@xxxxxxx...]
> > > > > > Sent: 22 September 2001 15:07
> > > > > > To: ukha_d@y...
> > > > > > Subject: RE: [ukha_d] Virus
> > > > > >
> > > > > >
> > > > > > *.eml are email messages but the ones that
hyou have found
> > > > will be loads
> > > > > > with the same file size and datestamp.
> > > > > >
> > > > > > THEY ARE INFECTED WITH THE VIRUS ..... DELETE
THEM.
> > > > > >
> > > > > > It also puts some codew in any HTML or ASP
files it finds
> that
> > > > > will infect
> > > > > > any other PC viewing the pages.
> > > > > >
> > > > > > Read the previous threads from when Graham
was battling to
> > > > remove Nimda.
> > > > > >
> > > > > > Keith
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Brian G. Reynolds [mailto:brian.g.reynolds@xxxxxxx...]
> > > > > > > Sent: 22 September 2001 14:04
> > > > > > > To: UKHA Group
> > > > > > > Subject: [ukha_d] Virus
> > > > > > >
> > > > > > >
> > > > > > > What are .eml files?
> > > > > > > I assume something to do with the
web/html/IE?
> > > > > > > It seems that these were the most
attacked, I have
> > > > > > "quarantined" them but
> > > > > > > not sure if I can delete them?
> > > > > > >
> > > > > > > Another PC has also been infected but
this time is seems
> mostly
> > > > > > > Psion files
> > > > > > > so I have deleted them! subtle.
> > > > > > >
> > > > > > > Thanks,
> > > > > > >
> > > > > > > B.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > For more information: http://www.automatedhome.co.uk
> > > > > > > Post message: ukha_d@y...
> > > > > > > Subscribe: ukha_d-subscribe@y...
> > > > > > > Unsubscribe: ukha_d-unsubscribe@y...
> > > > > > > List owner: ukha_d-owner@y...
> > > > > > >
> > > > > > > Your use of Yahoo! Groups is subject to
> > > > > http://docs.yahoo.com/info/terms/
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > For more information: http://www.automatedhome.co.uk
> > > > > Post message: ukha_d@y...
> > > > > Subscribe: ukha_d-subscribe@y...
> > > > > Unsubscribe: ukha_d-unsubscribe@y...
> > > > > List owner: ukha_d-owner@y...
> > > > >
> > > > > Your use of Yahoo! Groups is subject to
> > > http://docs.yahoo.com/info/terms/
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > For more information: http://www.automatedhome.co.uk
> > > > Post message: ukha_d@y...
> > > > Subscribe: ukha_d-subscribe@y...
> > > > Unsubscribe: ukha_d-unsubscribe@y...
> > > > List owner: ukha_d-owner@y...
> > > >
> > > > Your use of Yahoo! Groups is subject to
> > http://docs.yahoo.com/info/terms/
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > For more information: http://www.automatedhome.co.uk
> > > Post message: ukha_d@y...
> > > Subscribe: ukha_d-subscribe@y...
> > > Unsubscribe: ukha_d-unsubscribe@y...
> > > List owner: ukha_d-owner@y...
> > >
> > > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
> > >
> > >
> > >
> > >
> > >
> > > For more information: http://www.automatedhome.co.uk
> > > Post message: ukha_d@y...
> > > Subscribe: ukha_d-subscribe@y...
> > > Unsubscribe: ukha_d-unsubscribe@y...
> > > List owner: ukha_d-owner@y...
> > >
> > > Your use of Yahoo! Groups is subject to
> http://docs.yahoo.com/info/terms/
> > >
> > >
>
>
>
> For more information: http://www.automatedhome.co.uk
> Post message: ukha_d@xxxxxxx
> Subscribe: ukha_d-subscribe@xxxxxxx
> Unsubscribe: ukha_d-unsubscribe@xxxxxxx
> List owner: ukha_d-owner@xxxxxxx
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
Home |
Main Index |
Thread Index
|