That would make sense I got a D: Drive that maps to /home/dom which is why that is the only directory infected. ----- Original Message ----- From: Matt Jezorek <matt@bluelinux.org> To: <security-discuss@linuxsecurity.com> Sent: Saturday, November 10, 2001 8:49 PM Subject: Re: Question about .eml files I am finding > These eml files are surly part of the nimda deal due to the readme.exe > trying to pass as a wav file. The question is what causes the ablility to > write to my server for that matter all over my server, I got 461 .eml files > on my machine. Now this is just a server with no squid which is how they > recommend fixing this. Any other way? What would cause the ablility to write > to a webserver? Or how can I find more information on this deal. This is > disturbing. The one thing I dont want is my server going around and > spreading this to anyone? What do I need to do till i find the cause or a > patch set a cron to run every minute and recurse thru the directorys and > delete them every minute? > > Matt > ----- Original Message ----- > From: Patrick Duane Dunston <duane@sukkha.homeip.net> > To: <security-discuss@linuxsecurity.com> > Sent: Saturday, November 10, 2001 9:13 PM > Subject: Re: Question about .eml files I am finding > > > > > I am finding files on my filesystem mostly where apache has access and I > have no clue why they are showing up on my server nor can I find any > information in my logs > > > > > > Here is the Directory Listing > > > > > > Here are a couple of emails I found. Does this apply to your setup? > > > > > > I found this info on the web: > > > > http://lugwash.washtenaw.cc.mi.us/linux-users/2001-09/msg00123.html > > http://www.mandrakeforum.com/article.php?sid=1205&lang=en > > > > If not then start preparing to audit your machine for a potential > > intrusion attempt. > > > > http://www.cert.org/tech_tips/intruder_detection_checklist.html > > http://www.cert.org/tech_tips/root_compromise.html > > > > > > -- > > duane > > > > > > -- > > > > GnuPG Public Key: http://sukkha.homeip.net/pgp.html > > > > -- > > > > Fun reading: 8-) > > http://linuxtoday.com/search.php3?author=Duane:Dunston > > > > > > > > ------------------------------------------------------------------------ > > To unsubscribe email security-discuss-request@linuxsecurity.com > > with "unsubscribe" in the subject of the message. > > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
