I'm not sure what you are trying to say here. Everyone of these things is SOP for any network admin worth his salary. You fail in one of those areas, and you will pay the price. Its as simple as that, whether precautionary, reactivity, or necessary. Patching, AV, etc.
-----Original Message----- From: Gregory Toland [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 10, 2002 8:22 PM To: NT 2000 Discussions Subject: RE: Infected W2K Server While I agree that installing patches is very important it is no different than Antivirus and Intrusion Detection defenses. Patches are also a reactive reflex. Patches are built because of exploit(s) that have been out in the wild. As one hole is plugged up hackers are working on the next exploit, Microsoft in turn working on the next patch, and the circle continues. What is the difference between antivirus signatures continually coming out and patches coming out? Each patch and signature file continues to plug holes as others are invented or exploited. They (Antivirus, Intrusion detection, patches) are all important, not one more important than the other. Gregory J Toland Sr. Systems Architect XWare Systems Inc. 1643 South Tenth Street Arlington, VA 22204 (703) 979-8378 (Office) (703) 655-5766 (Mobile) [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Patrick R. Sweeney Sent: Sunday, March 10, 2002 10:14 PM To: NT 2000 Discussions Subject: RE: Infected W2K Server Exactly. Antivirus and Intrusion Detection are reactive defenses. A variant has to be in the wild and identified, then the signature file updated before you are protected, but if you patch, then the vulnerability is gone for all variant exploits. I just wish Microsoft's release process were better so I felt more comfortable advising people to implement ALL MS security patches. (For relevant services anyway. On developer desktops I install ALL patches because they install services outside of my Change Management processes. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Martin Blackstone Sent: Sunday, March 10, 2002 1:44 PM To: NT 2000 Discussions Subject: RE: Infected W2K Server Patch baby, PATCH!!! That's the only safe way to go. Do not depend on anything else to save you. HFNetcheck to verify -----Original Message----- From: Gregory Toland [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 10, 2002 10:33 AM To: NT 2000 Discussions Subject: RE: Infected W2K Server Thanks for the suggestion. I spent all day Yesterday reformatting my machine. Of course, I still don't know how it got through. I had Zonealarm and Norton AntiVirus running. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alexander Kha Do Sent: Thursday, February 28, 2002 12:11 PM To: NT 2000 Discussions Subject: RE: Infected W2K Server Reformat the machine. I'M NOT KIDDING. The recommended way to recover from a Nimda comprimise is to reformat reinstall. Once Nimda has infected IIS, it will most likely have infected your mmc.exe, riched20.dll, and a whole lot of other stuff. Guest is most likely now an administrator of your box. Look at your shared drives - you'll notice they are open with full write to all network users. You were most likely infected because you did not code-red patch your IIS. Nimda initiated a malformed tftp request and sent the admin.dll file into some dir on your webserver. Then your webserver infected your whole computer. Disconnect it from the network immediately. It is scanning the local network for open shares and spitting out those eml files like crazy. Sorry, but you're pretty much screwed. If the data is important, pull the hard drive out and put it in another computer that has the latest and greatest in virus protection. http://www.cert.org/advisories/CA-2001-26.html -----Original Message----- From: Gregory J Toland [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 6:34 PM To: NT 2000 Discussions Cc: Gregory John Toland Subject: Infected W2K Server I went on travel this past weekend only to return and find my computer was infected with three types of Nimda viruses. Specifically, they are 1. W32.Nimda.A@mm (dll) virus. 2. W32.Nimda.E@mm (dr) virus. 3. W32.Nimda.A@mm (dr) virus. 42 files were infected. 18 files were in C:\Inetpub\scripts\ and were all named like... C:\Inetpub\scripts\TFTP860 C:\Inetpub\scripts\TFTP952 I have no idea where these files came from. 18 other files came from C:\WINNT\Temp\ and were all named like... C:\WINNT\Temp\mep914.tmp.exe C:\WINNT\Temp\mep916.tmp.exe Again, I have no idea where these came from. Finally, four files that I would have thought would have been installed in a different directory were... C:\Admin.dll C:\httpodbc.dll D:\Admin.dll D:\httpodbc.dll Norton Antivirus could not repair them. They have all been quarantined. What happened? I was going to anyways uninstall IIS5 from the C: drive and install it on the D: drive. Will this fix any potential problems my computer may have down the road. Is this false reporting on Norton's part? Please enlighten me! :) Gregory J Toland Sr. Systems Architect XWare Systems Inc. 1643 South Tenth Street Arlington, VA 22204 (703) 979-8378 (Office) (703) 655-5766 (Mobile) [EMAIL PROTECTED] ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED] ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
