Well I have rulled out my computer for nimda seems that it is still putting .eml files on my server without samba shares maped, dont know what else to do on it. ----- Original Message ----- From: David Correa <tech@linux-tech.com> To: <security-discuss@linuxsecurity.com> Sent: Saturday, November 10, 2001 10:56 PM Subject: Re: Question about .eml files I am finding > On Sat, 10 Nov 2001, Matt Jezorek wrote: > > > > Just ran a virus scan capable of finding the Nimda Virus on my pc and it > > claims no viruses are found. Now there should be NO one else trying to share > > that directory lots of fails (roadrunner everyone tries to screw everyone it > > seems) So I dont know how else to see if this pc is infected. Maybe detach > > the server from the network and see if those eml files propogate again. > > > > Matt > > ----- Original Message ----- > > The 2 most common signatures I am seeing (coming from the > Internet) now in my NIDS are > > WEB-IIS cmd.exe access and WEB-IIS CodeRed v2 root.exe access > > Then at a less percentage WEB-FRONTPAGE /_vti_bin/ access > > I would also like to know where the "*.eml" comes from. > > My guess is that since I don't have any "*.eml" on my servers, and all > kinds of stuff show up to my interfaces from the wild, but there is no > SMB there is that it must get to the linux box via SMB. It looks like > something executed on a windows box previous to getting inside the linux > box via SMB share. > > I know that in the PHPNuke case remote users can copy and delete arbitrary > files on the server system, subject to web server user id restrictions. > > > David Correa RHCE CCNA _ _ _ _ _ _ _ _ ___ ____ ____ _ _ > tech@linux-tech.com | | |\ | | | \/ | |___ | |__| > http://www.linux-tech.com |___ | | \| |__| _/\_ | |___ |___ | | > > > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
