-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Problem using the cleaner.
I ran the line from the command prompt but for every file that goes
by the following appears:

C:\> for /R %f in (*.htm *.html *.asp) do ren %f %~nf.old & findstr
/L /V "readme.eml" %~nf.old >%f

Then the command starts it's run, but the majority of files have the
following format:

C:\> ren C:\Program
Files\Microsoft.NET\FrameworkSDK\Samples\quickstart\aspplus\samples\ap
ps\cookies2\js\customize.aspx customize.old & findstr /L /V
"readme.eml" customize.old 1>C:\Program
Files\Microsoft.NET\FrameworkSDK\Samples\quickstart\aspplus\samples\ap
ps\cookies2\js\customize.aspx
The syntax of the command is incorrect.
FINDSTR: Cannot open customize.old

The command keeps running, but I'm worried that most of the files say
"The syntax of the command is incorrect.
FINDSTR: Cannot open file.old"

I've verified that I typed it in as written, and I do have
administrator rights on the machine.

Any ideas.

Thanks!

- -Macy

- -----Original Message-----
From: Mark E [mailto:mjeWIN2000MAG.COM]
Sent: Wednesday, September 19, 2001 11:57 AM
To: win2ksecadviceLISTSERV.NTSECURITY.NET
Subject: FW: Nimda cleaner!

Here's the original message regarding the script:

- -----Original Message-----
From: Daniel Schultz [mailto:DSchultzNetworkServicesGroup.com]
Sent: Wednesday, September 19, 2001 4:54 AM
Subject: Nimda cleaner!

Network Services Group (Indy's leading Microsoft Certified Technical
Education Center and Solution Provider) has come up with a single
line
command that will extract the malicious Javascript from all HTM,
HTML, and
ASP files, including the subdirectories! Webservers could have
thousands of
these files that are infected from the Nimba worm.

- From Windows 2000 (it should work from NT as well) simply type from
the
command prompt:

for /R %f in (*.htm *.html *.asp) do ren %f %~nf.old & findstr /L /V
"readme.eml" %~nf.old >%f

This one line will clean the file of the bad javascript, and rename
the
original file to *.old for backup purposes. This will even clean
files that
were infected more than once!

If you would like to use this on your website or any other means,
please
acknowledge Network Services Group, our web address, the fact we are
a
Microsoft Certified Technical Education Center in Indianapolis and
our
phone.

Please email or call if you have questions...

P.S. We had the latest security hot fixes installed for over a month
yet our
iis 4 server was infected with this nimda worm!

Sincerely,
Dan Schultz
http:\\NetworkServicesGroup.com

[snipped sig footer]

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: The best way to predict the future is to invent it..alan kay

iQA/AwUBO6n7TMDQj7lnt5umEQLPowCgoSjyzgzTg8Eex1l99m+vdpjCP4cAniqY
XCYqpc5oCA1/9UFQSkb9zKh8
=1Lx2
-----END PGP SIGNATURE-----

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]