Re: Alert: Nimda cleansing information

From: Edward York (ed@724HOSTING.COM)
Date: 09/20/01


Message-ID:  <01ec01c14184$2a223d20$c409010a@EYORK1>
Date:         Wed, 19 Sep 2001 20:27:23 -0700
From: Edward York <ed@724HOSTING.COM>
Subject:      Re: Alert: Nimda cleansing information
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

I just wanted to pass on the word on some info I have discovered after my BDC was infected.

If your NT4.0 server is a BDC, then the guest account is not enabled and the open shares are not created. It appears from what everyone else is saying that only PDC's and stand alone servers are affected with the open share and guest account problem.

I assume the reason is that all access to a BDC is controlled by the PDC so if the PDC is not infected, then these shares cannot be created.

On another note, the AV vendors are indeed not perfect.
The VirusScan programs, at least by McAfee, appears to miss files once and a while. I have run McAfee several times now and the files found that are infected are fewer and fewer with each pass.
99% of the 10,000+ files infected on my server were caught the first pass. The 2nd pass resulted in only about 400 infected files and the 3rd pass resulted in only about 200 remaining.
I have confirmed through careful observation that at least on my server, the files are not being re-infected and that indeed the remaining files were missed. This was confirmed by running a search of files modified on 9/18/01 when my server was infected. Search results before the 3rd AV pass did show about 200 files that had the original infection date and time stamp.

My suggestion. Run the AV several times to be sure you catch all the infected files.

Still one last note. This server that was infected was protected with MS01-033 and the Post SP6a rollup. Nothing new has been installed on this server in months so I do not believe some other application has overwritten patched files. MS01-044 had not been installed, but I believe the PostSP6a rollup and MS01-033 should have prevented infection. This leads me to believe that it is possible that another security hole exists, but has not yet been discovered. Just speculation and I would like to hear if anyone else has been infected even with the patches installed.

Regards,
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/
Edward York - Vice Pres/CTO
724 Hosting - www.724hosting.com
Windows NT/2000 Web Hosting,
Advanced Linux Web Hosting,
Dedicated & Co-location Services
e-mail: ed@724hosting.com
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/



Relevant Pages

  • Re: Unable to create AD objects...
    ... Has the OLD "PDC" been removed from the domain by cleaning its metadata with NTDSUTIL? ... > with the company) decided to take our PDC offline and only left our BDC> up ... on that "BDC" check who owns the FSMO roles using: NETDOM QUERY FSMO ... the RID master is probably the issue ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Server will not sychronize
    ... Hey the PDC and BDC concept Microsoft got rid of with Windows 2000. ... | account for an NT 4 BDC I tried to add a month ago. ...
    (microsoft.public.win2000.active_directory)
  • DNS Issue
    ... Both running Win2k Server with Sp4 ... However NTFRS is failing to sycn PDC and BDC. ... The specified service does not exist as an installed service. ...
    (microsoft.public.win2000.active_directory)
  • Re: BDC DCDIAG Problem
    ... PDC and BDC are obsolete terms, ... I am looking through my DNS entries and I am only able to find SRV records ... server Security Configuration Wizard on this server perhaps? ...
    (microsoft.public.windows.server.sbs)
  • Re: Second Trust
    ... Will the Trust be there when I change my current PDC and make my new ... server a PDC? ... you'll have AD with the NT4 server as a BDC" Why would it be a BDC and ...
    (microsoft.public.win2000.active_directory)