On Sat, 10 Nov 2001, Matt Jezorek wrote: > > Just ran a virus scan capable of finding the Nimda Virus on my pc and it > claims no viruses are found. Now there should be NO one else trying to share > that directory lots of fails (roadrunner everyone tries to screw everyone it > seems) So I dont know how else to see if this pc is infected. Maybe detach > the server from the network and see if those eml files propogate again. > > Matt > ----- Original Message ----- The 2 most common signatures I am seeing (coming from the Internet) now in my NIDS are WEB-IIS cmd.exe access and WEB-IIS CodeRed v2 root.exe access Then at a less percentage WEB-FRONTPAGE /_vti_bin/ access I would also like to know where the "*.eml" comes from. My guess is that since I don't have any "*.eml" on my servers, and all kinds of stuff show up to my interfaces from the wild, but there is no SMB there is that it must get to the linux box via SMB. It looks like something executed on a windows box previous to getting inside the linux box via SMB share. I know that in the PHPNuke case remote users can copy and delete arbitrary files on the server system, subject to web server user id restrictions. David Correa RHCE CCNA _ _ _ _ _ _ _ _ ___ ____ ____ _ _ tech@linux-tech.com | | |\ | | | \/ | |___ | |__| http://www.linux-tech.com |___ | | \| |__| _/\_ | |___ |___ | | ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
