Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Help with Nimda.E?

Re: Help with Nimda.E?

From: Zlatko Ignjatovic <klaja_at_anoxsoft.net>
Date: Thu, 1 Nov 2001 09:14:41 +0100

I also had a similar situation (less workstations infected, though). First,
try to patch all the mashines, with the help of hotfix scanning tool from
Shavlik/Microsoft:

http://download.microsoft.com/download/win2000platform/Utility/3.2/NT45/EN-U
S/nshc32.exe

Then you should try nimdascn.exe from McAfee (this is the only one that
completely cleaned my machines):

http://www.mcafeeb2b.com/naicommon/avert/avert-research-center/tools.asp#Nim
daScn

This combination helped me, can't say it's 100% the best, but it's worth a
try.

Wish you luck,
    Zlatko Ignjatovic
    Sys/Net Admin for Anox Software

----- Original Message -----
From: "Matt Beck" <Mbeck_at_GiantStep.com>
To: <incidents_at_securityfocus.com>
Sent: Wednesday, October 31, 2001 8:29 PM
Subject: Help with Nimda.E?

> Hello all,
>
> I haven't determined how yet, but one system on my dmz was unpatched. Of
> course, it got hit by Nimda.e. This new variant is now propagating like
mad
> through the shares.
>
> Given the nature of the environment, I am having trouble containing and
> removing it. Any suggestions? I have 50+ NT/2k servers on the dmz LAN.
> There is a master domain that all other domains trust. Servers in each
> domain require shares to function. Permissions are highly entangled. All
> servers (but one apparently) are patched against the IIS vulnerability,
but
> the shares remain open.
>
> I have tried Symantec's new scanner and the web A/V tool at antivirus.com,
> but neither seem to get it all. As soon as someone logs in to the "clean"
> box, snort detects outbound attacks. I am shutting down all non-essential
> systems, but some are going to have to keep running.
>
> Please contact me off list for more details or on list with solutions.
>
> Thanks,
> Matt
>
> -------------------------------------------------------------------------- 

--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Received on Nov 01 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]