Re: Hacked web server

Rogelio,

on Nimda.E from Symantec:
This worm is similar in functionality to W32.Nimda.A@mm. Differences include the modification of file names used by the worm.

    The attachment received has been changed to: Sample.exe     The dropped .dll file is now: Httpodbc.dll     The worm now copies itself to the \%Windows% folder as Csrss.exe instead of Mmc.exe

Try looking for c:\winnt\csrss.exe for the virus.

Also, this isn't where the ncx99.exe came from. I'd do a thorough search for any usage of cmd.exe/root.exe in your web logs and start there, after taking it offline.

hth,
sunzi
----- Original Message -----
From: "Michael Katz" <mike@procinct.com> To: <incidents@securityfocus.com>
Cc: "Rogelio Vidaurri Courcelle" <rvidaurri@haciendachiapas.gob.mx> Sent: Sunday, January 12, 2003 9:20 PM
Subject: Re: Hacked web server

> At 1/10/2003 12:39 PM, Rogelio Vidaurri Courcelle wrote:
detailed
> in Microsoft Security Bulletin MS00-057
by
> most antivirus software as malware.

--

> This list is provided by the SecurityFocus ARIS analyzer service.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek