Re: Re[3]: [IMail Forum] OT: IIS

Wed, 26 Sep 2001 20:40:16 -0700 

nimda sneaks its way in thru open network shares (shared drives).  That's
how I think it got in on a system I spent two days fixing.  Close all your
network shares.  ALL of them.

open a command prompt and type

net share

to see all your open shares

----- Original Message -----
From: "andyb@thumpernet" <[EMAIL PROTECTED]>
To: "Sharon Tucci" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, September 26, 2001 6:14 PM
Subject: Re[3]: [IMail Forum] OT: IIS


> Hi Sharon,
>
> Thank you... my how some people just don't believe...
>
> Thanks, andyb
> [EMAIL PROTECTED]
>
> Wednesday, September 26, 2001, 12:17:56 PM, you wrote:
>
> ST> At 10:17 AM 9/26/01 -0400, andyb@thumpernet wrote:
> >>My web server *was* patched and it got the virus *anyway*.  Same thing
> >>for another web server admin near here.
>
> ST> To back this up, we had 18 NT boxes online last week
> ST> when it hit (19 now) and three of them were hit.
> ST> Our patches were up to date running through August 15 or
> ST> 17th. (Forget the exact date)
>
> ST> Interestingly enough, we applied some later fixes available
> ST> through a number of sources on Wednesday and Thursday. We
> ST> had another server hit Sunday in spite of this.
>
> ST> What I find curious is that even though our .html files
> ST> were modified and I KNOW we were infected, the clean nimda
> ST> utility from Symantec said we didn't have it. Go figure.
>
> ST> I've had some sys admins I know insist left and right there
> ST> was no way we could have been infected if we were patched,
> ST> but we were. A few people I know suggested we had the code
> ST> red worm when that hit and that left open a back door.
> ST> But one of the servers that was hit only went online the
> ST> last week of August and had the latest service pack and
> ST> all patches. The system was also clean when I did a check
> ST> for code red.
>
> ST> Sharon Tucci
>
>
>
>
> ST> Please visit http://www.ipswitch.com/support/mailing-lists.html
> ST> to be removed from this list.
>
> ST> An Archive of this list is available at:
> ST> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
> An Archive of this list is available at:
> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>


Please visit http://www.ipswitch.com/support/mailing-lists.html 
to be removed from this list.

An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Reply via email to