Well, I don't know how this happened, but somehow my whole server got infected with the Nimda virus. I have AVG running on both the clients and server, and I only ever download things with my workstation and then dump them to the server, but somehow something got through. I had virus warnings everywhere. Every single folder on my PC has .eml files in it now, and many files are also infected. I got rid of AVG and installed Norton Professional, and did a complete scan of my PC. It found hundreds of .eml files and lots of infected normal files. It cleaned the ones it could and got rid of the rest. Then I scanned my server: it found thousands. It ran for several hours and then said it was done. Today, I got into my server from work, and found more .eml files everywhere. How do I get rid of this damn thing? I'm not even sure what it does, but it's making my life hell right now. It doesn't look like it's harming my actual files, so would it be better to transfer them off, clean them on a clean system, format all my server drives, and transfer back?
Help! Nimda got my server! Having problems cleaning
- Thread starter vetteguy
- Start date
Did you look it up on the Symantec site?
They explain what to do and give you a link to get the cleaning tool to get rid of the problem.
Speed
They explain what to do and give you a link to get the cleaning tool to get rid of the problem.
Speed
You mentioned the machine that became infected was a server. Was it running IIS, and was IIS properly patched?
And if you start noticing tftp files dropping in your root, edit your service file and set TFTP port to zero.
1. This is a server at home, so no, it probably wasn't up to date.
2. If by my job you mean being the admin of a personal server at your home, be my guest
I'm taking care of the problem...thanks all.
there's at least 50 machines just like that on my isp's subnet, annoyingly filling up my apache logs.
wc -l < access.log
274892
egrep "(root\.exe|cmd\.exe)" access.log | wc -l
35996
sweet, what's the pay?
good good. i only was a pest about it because i get frustrated when seeing brainless admins. i did not know if this was at your job or what, no hard feelings
you know the free version of AVG antivirus doesn't scan incoming and outgoing network connections, you know that right?
had the same problem about a year ago, you may need to run that nimda fix many times over the course of the next week, that little bastard nimda really likes to stick around. Took like 5 rounds to finally get it all.
Here's the status:
Disconnected all network shares on the server. Stopped all web services. Ran the symmantec nimda cleaning tool. It took about 3 hours ( over 200GB), and found (and fixed) tons of files. Ran it again and it found nothing. Did the same thing on my workstation. Repeated, found nothing. Re-shared one folder on the server, and connected to it from my PC. Immediately, I started seeing .eml files show up and Norton auto-protect started going crazy: somehow, it was back on my server again. So I ran the cleaning tool again, it found and fixed files. Then I looked around and sure enough there were .eml files again. So, from the command line, I deleted every single .eml file on the server. Ran the command again, and none were found. About 2 minutes later, they were back again. This thing is completely disconnected from the internet, other machines, etc. I have done virus scans, ran the cleaning tool, deleted the infectious files, and nothing works. Call me stupid, unworthy of a job, whatever-I don't care. I just need to get rid of this. What am I doing wrong?
Disconnected all network shares on the server. Stopped all web services. Ran the symmantec nimda cleaning tool. It took about 3 hours ( over 200GB), and found (and fixed) tons of files. Ran it again and it found nothing. Did the same thing on my workstation. Repeated, found nothing. Re-shared one folder on the server, and connected to it from my PC. Immediately, I started seeing .eml files show up and Norton auto-protect started going crazy: somehow, it was back on my server again. So I ran the cleaning tool again, it found and fixed files. Then I looked around and sure enough there were .eml files again. So, from the command line, I deleted every single .eml file on the server. Ran the command again, and none were found. About 2 minutes later, they were back again. This thing is completely disconnected from the internet, other machines, etc. I have done virus scans, ran the cleaning tool, deleted the infectious files, and nothing works. Call me stupid, unworthy of a job, whatever-I don't care. I just need to get rid of this. What am I doing wrong?
The only way I've cleaned it before is like this.... To start, you gotta unplug your network connection. You'll need all the MS patches and stuff on CD.
First you must patch your system so it cant be reinfected, then close all network connections, stop IIS, and delete mmc.exe and
riched20.dll, clean the system, and restore riched20.dll and MMC.exe from the cd. Then apply all patches again.
hopefully this'll work for you.
First you must patch your system so it cant be reinfected, then close all network connections, stop IIS, and delete mmc.exe and
riched20.dll, clean the system, and restore riched20.dll and MMC.exe from the cd. Then apply all patches again.
hopefully this'll work for you.
Thanks...I will try that. I can't believe this happened...have had a broadband connection for 3 years, download tons of stuff everyday, never once had a virus.
Also I've seen immediate reinfection if your admin account doesn't have a password, users connect to your shares before you finish booting and run the clean tool.
Bill
Bill
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 24K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 19K
-
-
-
Facebook
Twitter