OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Zlatko Ignjatovic (klajaanoxsoft.net)
Date: Thu Nov 01 2001 - 02:14:41 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I also had a similar situation (less workstations infected, though). First,
    try to patch all the mashines, with the help of hotfix scanning tool from
    Shavlik/Microsoft:

    http://download.microsoft.com/download/win2000platform/Utility/3.2/NT45/EN-U
    S/nshc32.exe

    Then you should try nimdascn.exe from McAfee (this is the only one that
    completely cleaned my machines):

    http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/tools.asp#Nim
    daScn

    This combination helped me, can't say it's 100% the best, but it's worth a
    try.

    Wish you luck,
        Zlatko Ignjatovic
        Sys/Net Admin for Anox Software

    ----- Original Message -----
    From: "Matt Beck" <MbeckGiantStep.com>
    To: <incidentssecurityfocus.com>
    Sent: Wednesday, October 31, 2001 8:29 PM
    Subject: Help with Nimda.E?

    > Hello all,
    >
    > I haven't determined how yet, but one system on my dmz was unpatched. Of
    > course, it got hit by Nimda.e. This new variant is now propagating like
    mad
    > through the shares.
    >
    > Given the nature of the environment, I am having trouble containing and
    > removing it. Any suggestions? I have 50+ NT/2k servers on the dmz LAN.
    > There is a master domain that all other domains trust. Servers in each
    > domain require shares to function. Permissions are highly entangled. All
    > servers (but one apparently) are patched against the IIS vulnerability,
    but
    > the shares remain open.
    >
    > I have tried Symantec's new scanner and the web A/V tool at antivirus.com,
    > but neither seem to get it all. As soon as someone logs in to the "clean"
    > box, snort detects outbound attacks. I am shutting down all non-essential
    > systems, but some are going to have to keep running.
    >
    > Please contact me off list for more details or on list with solutions.
    >
    > Thanks,
    > Matt
    >
    > -------------------------------------------------------------------------- 

    --
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com