Re: Nimda and patch end up shutting my Web Server
Thank you for all the inputs regarding Nimda, but I am seeking something else - 1. reformatting and reinstalling is at present not an option for me 2. How do I find out what mischief the patch I installed did, after which the web server does not run - how do I diagnose that and have the web server running again - any pointers? 3. A person mentioned - port scanners. Any specific port scanner that is recommended that I can use? As it may be apparent to you - I am not really a Sys Admin person - but I have to do this. So any help to this ignoramous will be deeply appreciated. Thanks Vani Want to unsub? Do that here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmintext_mode=0lang=english
RE: Nimda and patch end up shutting my Web Server
Reformat. There is no way to 100% remove the virus from your system. You can download and run utilities from Eeye, Norton, NAI, Commandcenter .. But the bottom line, it's not going to be 100% cleaned. Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Vani Murarka [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 9:49 AM To: NT System Admin Issues Subject: Nimda and patch end up shutting my Web Server NT and IIS Gurus, please help. My system was infected by Nimda. Norton found certain TFTPxxx files under Inetpub/scripts which were infected. It could not clean it. It quarantined it. I deleted those files. But new TFTPxxx files kept getting created in that directory, and Norton kept saying those are infected with Nimda. I searched the internet to see what patch I must install. Following links from Symantec, this is the one I downloaded and installed - http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default .asp The patch was called Windows 4.0 Hotfix Ever since installing that, my Web Server does not run. Trying to run it from Internet Service Manager, says, The specified module could not be found. I am also not being unable to uninstall the patch from Control Panel - Add/Remove Programs as the page from where I downloaded it suggests, because it is not listed there. Maybe I selected the inappropriate patch - but now I am at a loss as to what to do next. Please give pointers. Thanks Vani http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Nimda and patch end up shutting my Web Server
Reformat. There is no way to 100% remove the virus from your system. I don't agree with that statement as an absolute, particularly if you avoided rebooting the machine while the virus was running. If you had a properly installed Hosted system, you could determine what had been changed from a security standpoint. Ultimately, rebuilding will be the safest way to resolve this issue for those systems which are constantly infected. == ASB - http://www.ultratech-llc.com/KB/?File=~MoreInfo.TXT == Feed a stranger's expired parking meter. -- H. Jackson Brown Jr. -Original Message- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 9:55 AM To: NT System Admin Issues Subject: RE: Nimda and patch end up shutting my Web Server Reformat. There is no way to 100% remove the virus from your system. You can download and run utilities from Eeye, Norton, NAI, Commandcenter .. But the bottom line, it's not going to be 100% cleaned. Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Vani Murarka [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 9:49 AM To: NT System Admin Issues Subject: Nimda and patch end up shutting my Web Server NT and IIS Gurus, please help. My system was infected by Nimda. Norton found certain TFTPxxx files under Inetpub/scripts which were infected. It could not clean it. It quarantined it. I deleted those files. But new TFTPxxx files kept getting created in that directory, and Norton kept saying those are infected with Nimda. I searched the internet to see what patch I must install. Following links from Symantec, this is the one I downloaded and installed - http://www.microsoft.com/ntserver/nts/downloads/critical/q269 862/default .asp The patch was called Windows 4.0 Hotfix Ever since installing that, my Web Server does not run. Trying to run it from Internet Service Manager, says, The specified module could not be found. I am also not being unable to uninstall the patch from Control Panel - Add/Remove Programs as the page from where I downloaded it suggests, because it is not listed there. Maybe I selected the inappropriate patch - but now I am at a loss as to what to do next. Please give pointers. Thanks Vani http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Nimda and patch end up shutting my Web Server
By now there are probably tools that will remove (or at least claim to remove) Nimda, but once you were infected your machine started announcing to the world that everyone had access to it. Even if a tool cleans up Nimda can you ever be sure that some enterprising script kiddie hasn't placed a trojan/backdoor on it? Wipe-n-load is the only way to be sure. jbh -Original Message- From: Vani Murarka [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 7:49 AM To: NT System Admin Issues Subject: Nimda and patch end up shutting my Web Server NT and IIS Gurus, please help. My system was infected by Nimda. Norton found certain TFTPxxx files under Inetpub/scripts which were infected. It could not clean it. It quarantined it. I deleted those files. But new TFTPxxx files kept getting created in that directory, and Norton kept saying those are infected with Nimda. I searched the internet to see what patch I must install. Following links from Symantec, this is the one I downloaded and installed - http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default .asp The patch was called Windows 4.0 Hotfix Ever since installing that, my Web Server does not run. Trying to run it from Internet Service Manager, says, The specified module could not be found. I am also not being unable to uninstall the patch from Control Panel - Add/Remove Programs as the page from where I downloaded it suggests, because it is not listed there. Maybe I selected the inappropriate patch - but now I am at a loss as to what to do next. Please give pointers. Thanks Vani http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Nimda and patch end up shutting my Web Server
Read the documentation from CERT, Eeye and other virus/ security authorities. If the virus was executed on your server, it will open ports and cause damage that can not be 100% removed. However, your statement If you had a properly installed Hosted system, you could determine what had been changed from a security standpoint. Sort of negates your other comment. If a system was properly hosted, it probably would have not been infected. Bottom line, there are too many people that have reported trying to remove using the tools that continue to be infected. It's just too much of a risk to continue using a box that has unknown damage in a production environment. My $.02. Steve Clark Clark Systems Support, LLC AVIEN Charter Member Who's watching your network? www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Andrew S. Baker [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 10:17 AM To: NT System Admin Issues Subject: RE: Nimda and patch end up shutting my Web Server Reformat. There is no way to 100% remove the virus from your system. I don't agree with that statement as an absolute, particularly if you avoided rebooting the machine while the virus was running. If you had a properly installed Hosted system, you could determine what had been changed from a security standpoint. Ultimately, rebuilding will be the safest way to resolve this issue for those systems which are constantly infected. == ASB - http://www.ultratech-llc.com/KB/?File=~MoreInfo.TXT == Feed a stranger's expired parking meter. -- H. Jackson Brown Jr. -Original Message- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 9:55 AM To: NT System Admin Issues Subject: RE: Nimda and patch end up shutting my Web Server Reformat. There is no way to 100% remove the virus from your system. You can download and run utilities from Eeye, Norton, NAI, Commandcenter .. But the bottom line, it's not going to be 100% cleaned. Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Vani Murarka [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 9:49 AM To: NT System Admin Issues Subject: Nimda and patch end up shutting my Web Server NT and IIS Gurus, please help. My system was infected by Nimda. Norton found certain TFTPxxx files under Inetpub/scripts which were infected. It could not clean it. It quarantined it. I deleted those files. But new TFTPxxx files kept getting created in that directory, and Norton kept saying those are infected with Nimda. I searched the internet to see what patch I must install. Following links from Symantec, this is the one I downloaded and installed - http://www.microsoft.com/ntserver/nts/downloads/critical/q269 862/default .asp The patch was called Windows 4.0 Hotfix Ever since installing that, my Web Server does not run. Trying to run it from Internet Service Manager, says, The specified module could not be found. I am also not being unable to uninstall the patch from Control Panel - Add/Remove Programs as the page from where I downloaded it suggests, because it is not listed there. Maybe I selected the inappropriate patch - but now I am at a loss as to what to do next. Please give pointers. Thanks Vani http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Nimda and patch end up shutting my Web Server
If you had a properly installed Hosted system Meant to say Host-based IDS system :) == ASB - http://www.ultratech-llc.com/KB/?File=~MoreInfo.TXT == Evil is done without effort, naturally, it is the working of fate; good is always the product of an art. -- Charles Baudelaire (1821-67) -Original Message- From: Andrew S. Baker [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 10:17 AM To: NT System Admin Issues Subject: RE: Nimda and patch end up shutting my Web Server Reformat. There is no way to 100% remove the virus from your system. I don't agree with that statement as an absolute, particularly if you avoided rebooting the machine while the virus was running. If you had a properly installed Hosted system, you could determine what had been changed from a security standpoint. Ultimately, rebuilding will be the safest way to resolve this issue for those systems which are constantly infected. == ASB - http://www.ultratech-llc.com/KB/?File=~MoreInfo.TXT == Feed a stranger's expired parking meter. -- H. Jackson Brown Jr. -Original Message- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 9:55 AM To: NT System Admin Issues Subject: RE: Nimda and patch end up shutting my Web Server Reformat. There is no way to 100% remove the virus from your system. You can download and run utilities from Eeye, Norton, NAI, Commandcenter .. But the bottom line, it's not going to be 100% cleaned. Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Vani Murarka [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 9:49 AM To: NT System Admin Issues Subject: Nimda and patch end up shutting my Web Server NT and IIS Gurus, please help. My system was infected by Nimda. Norton found certain TFTPxxx files under Inetpub/scripts which were infected. It could not clean it. It quarantined it. I deleted those files. But new TFTPxxx files kept getting created in that directory, and Norton kept saying those are infected with Nimda. I searched the internet to see what patch I must install. Following links from Symantec, this is the one I downloaded and installed - http://www.microsoft.com/ntserver/nts/downloads/critical/q269 862/default .asp The patch was called Windows 4.0 Hotfix Ever since installing that, my Web Server does not run. Trying to run it from Internet Service Manager, says, The specified module could not be found. I am also not being unable to uninstall the patch from Control Panel - Add/Remove Programs as the page from where I downloaded it suggests, because it is not listed there. Maybe I selected the inappropriate patch - but now I am at a loss as to what to do next. Please give pointers. Thanks Vani http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
Re: Nimda and patch end up shutting my Web Server
I have eliminated it. I used a nimba tool and then had Norton scan and remove files. My server works fine now. - Original Message - From: Andrew S. Baker [EMAIL PROTECTED] To: NT System Admin Issues [EMAIL PROTECTED] Sent: Sunday, September 23, 2001 10:17 AM Subject: RE: Nimda and patch end up shutting my Web Server Reformat. There is no way to 100% remove the virus from your system. I don't agree with that statement as an absolute, particularly if you avoided rebooting the machine while the virus was running. If you had a properly installed Hosted system, you could determine what had been changed from a security standpoint. Ultimately, rebuilding will be the safest way to resolve this issue for those systems which are constantly infected. == ASB - http://www.ultratech-llc.com/KB/?File=~MoreInfo.TXT == Feed a stranger's expired parking meter. -- H. Jackson Brown Jr. -Original Message- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 9:55 AM To: NT System Admin Issues Subject: RE: Nimda and patch end up shutting my Web Server Reformat. There is no way to 100% remove the virus from your system. You can download and run utilities from Eeye, Norton, NAI, Commandcenter .. But the bottom line, it's not going to be 100% cleaned. Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Vani Murarka [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 9:49 AM To: NT System Admin Issues Subject: Nimda and patch end up shutting my Web Server NT and IIS Gurus, please help. My system was infected by Nimda. Norton found certain TFTPxxx files under Inetpub/scripts which were infected. It could not clean it. It quarantined it. I deleted those files. But new TFTPxxx files kept getting created in that directory, and Norton kept saying those are infected with Nimda. I searched the internet to see what patch I must install. Following links from Symantec, this is the one I downloaded and installed - http://www.microsoft.com/ntserver/nts/downloads/critical/q269 862/default .asp The patch was called Windows 4.0 Hotfix Ever since installing that, my Web Server does not run. Trying to run it from Internet Service Manager, says, The specified module could not be found. I am also not being unable to uninstall the patch from Control Panel - Add/Remove Programs as the page from where I downloaded it suggests, because it is not listed there. Maybe I selected the inappropriate patch - but now I am at a loss as to what to do next. Please give pointers. Thanks Vani http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
RE: Nimda and patch end up shutting my Web Server
I would think that running a good port scanner against that box would be a good idea. You never know what ports have been opened by the worm... Rick -Original Message- From: Tiffany Belcher [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 10:26 AM To: NT System Admin Issues Subject: Re: Nimda and patch end up shutting my Web Server I have eliminated it. I used a nimba tool and then had Norton scan and remove files. My server works fine now. - Original Message - From: Andrew S. Baker [EMAIL PROTECTED] To: NT System Admin Issues [EMAIL PROTECTED] Sent: Sunday, September 23, 2001 10:17 AM Subject: RE: Nimda and patch end up shutting my Web Server Reformat. There is no way to 100% remove the virus from your system. I don't agree with that statement as an absolute, particularly if you avoided rebooting the machine while the virus was running. If you had a properly installed Hosted system, you could determine what had been changed from a security standpoint. Ultimately, rebuilding will be the safest way to resolve this issue for those systems which are constantly infected. == ASB - http://www.ultratech-llc.com/KB/?File=~MoreInfo.TXT == Feed a stranger's expired parking meter. -- H. Jackson Brown Jr. -Original Message- From: Clark, Steve [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 9:55 AM To: NT System Admin Issues Subject: RE: Nimda and patch end up shutting my Web Server Reformat. There is no way to 100% remove the virus from your system. You can download and run utilities from Eeye, Norton, NAI, Commandcenter .. But the bottom line, it's not going to be 100% cleaned. Steve Clark Clark Systems Support, LLC AVIEN Charter Member www.clarksupport.com 301-610-9584 voice 240-465-0323 Efax -Original Message- From: Vani Murarka [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 23, 2001 9:49 AM To: NT System Admin Issues Subject: Nimda and patch end up shutting my Web Server NT and IIS Gurus, please help. My system was infected by Nimda. Norton found certain TFTPxxx files under Inetpub/scripts which were infected. It could not clean it. It quarantined it. I deleted those files. But new TFTPxxx files kept getting created in that directory, and Norton kept saying those are infected with Nimda. I searched the internet to see what patch I must install. Following links from Symantec, this is the one I downloaded and installed - http://www.microsoft.com/ntserver/nts/downloads/critical/q269 862/default .asp The patch was called Windows 4.0 Hotfix Ever since installing that, my Web Server does not run. Trying to run it from Internet Service Manager, says, The specified module could not be found. I am also not being unable to uninstall the patch from Control Panel - Add/Remove Programs as the page from where I downloaded it suggests, because it is not listed there. Maybe I selected the inappropriate patch - but now I am at a loss as to what to do next. Please give pointers. Thanks Vani http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
