Security Incidents: Re: Corrupted Directories, Intrusions, and Nimda Oh MY

From: Lew E. Lefton <llefton_at_math.gatech.edu>
Date: Thu, 8 Nov 2001 23:38:30 -0500 (EST)

I don't know if this will work, but you may try installing Cygwin (a Unix
environment on Windows). Then from a bash shell type

rm -rf c:\tree\to\erase

Better yet, you should probably reinstall everything on a freshly
formatted drive from original media. Then restore your own files from a
trusted (pre-nimda) backup. Otherwise, who knows what other "goodies" are
hidden around your system now (keystroke sniffers, etc.)

Good Luck,
Lew Lefton

On Thu, 8 Nov 2001, Drew E. Gilkey wrote:

> Went on vacation for a week, come back to see that my email server is
> reporting that its comepletely full. Look a little deeper into it and I
> see that people have uploaded tons of MP3's, Warez, etc.. Wondering how
> they got in I start to do a virus scan and bam... Nimda was found...
> Unfortunately now I have tons of files on my system that cannot
> seemingly be removed... 2000 thinks they dont exist, yet they do and
> they are taking up disk space.. I have managed to get one of the
> directories removed but the other ones contained tons of locked files,
> weird directory structures that make the system think that the files nor
> directory dont exist, plus permission problems... Anyone got a tool that
> will allow me to just delete the directory and all the subdirectories
> this stuff is in? Or any advice.. I have tried using the ASCII
> characters, etc.. but I just cant seem to get them to delete.. I can
> access the folders via FTP, but when i try to delete them the OS cannot,
> not can I download anything in the folder.
>
> --Drew Gilkey
> Dgilkey_at_libenn.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Nov 09 2001