Jump to content
Compatible Support Forums
Sign in to follow this  
Catdog02

Virus question.

Recommended Posts

Not strictly an "application" I know, but I wanted this to get noticed, and I suspect there is a trojan involved - which IS technically an program...

 

I have a recurring virus on an NT 4.0 server. Every couple of days I'm finding a w32 Nimda virus has found its way into C, the virus is undetected by Mcaffee corporate, until the scanner is run, the system is cleaned, no (apparent) harm done. meaning that the antivirus can see the virus - which is now an old, outdated strain. We have a very effective security policy implememnted, I'd rather not publish the specific details, but there is an effective firewall and port 25 traffic is routed to an email scanner, which automatically deletes anything it doesn't like the look of. All the systems are updated with the newest updates on a regular basis, and the firewall ports are kept to a minium number open - 80, 21 etc

 

Any sugestions on what to look for? The NT system is bare minimum, with only a handful of applications installed.

 

The virus itself is the type that modifies the guest account, giving it Domain admin privelleges, we don't use the guest account here either.

 

I'm confident of the security regarding traffic coming in from the internet, and I suspect that possibly the RAS is to blame.

 

Still if anyone has had a similar problem, I'd love to hear about it.

Share this post


Link to post

As far as I can recall, Nimda spreads by 3 methods: e-mails, open network shares and by exploiting a flaw in IIS (which only requires port 80). You seem to have the e-mail one covered, so check that all your IIS servers are fully patched, and check that the infected machines don't have any world-writable shares.

Share this post


Link to post

Have you applied the IIS patches? The Novell admin for a sister company that I work with kept having the same type of issue with CodeRed2, and what was happening is that she would apply the patch while the system was online with the Internet (hosted Outlook Web Access and Exchange) and would then reboot. Well, it would always reinfect the box since it was never cleared from memory. I went out there and took the box offline from the firewall (no Internet access, and no local systems were trying to infect it), rebooted it, and then applied the patches and rebooted it. Once that was done, I installed and configured URLScan and there hasn't been an issue since for her.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×