When you mount that partition on Linux, use the "noexec" option for added security. It's a nice trick for user directories when you really need to lock something down, too. In theory (although unlikely), that machine could have a few Linux exploits sitting around, too.<br>
<br><div class="gmail_quote">On Tue, May 5, 2009 at 7:34 PM, Karl Schuttler <span dir="ltr"><<a href="mailto:rexykik@gmail.com">rexykik@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Sounds like a typical exploit to me; malware propagation across drives<br>
is pretty common now. If I recall, MS screwed up when they disabled<br>
autorun and specified the wrong registry key. You might consider doing<br>
it manually through the registry on a clean box, which might fix your<br>
issue.<br>
<br>
ClamAV on linux was the first thing that came to my mind. If it<br>
infects your live linux system, I'd like to know; I haven't heard of<br>
anything that does that.<br>
<div><div></div><div class="h5"><br>
On Tue, May 5, 2009 at 4:14 PM, Stanley C. Mortel <<a href="mailto:mortel@cyber-nos.com">mortel@cyber-nos.com</a>> wrote:<br>
> I have a client with a compromised server. Not unusual for MS, but this<br>
> one I find interesting. Here are some details:<br>
><br>
> 40 GB hard drive, single partition. Windows 2000 server, fully<br>
> patched. History of out of date AV software. Has Norton on it. System<br>
> getting slower and slower, locking up, blue screen......yada, yada,<br>
> yada. Entire network crawling. History of getting blacklisted for spam.<br>
><br>
> Would not let me copy the partition using Acronis. Said Not enough<br>
> space on drive even though I was copying from a 40 GB partition to a 120<br>
> GB drive. When Acronis starts, it show the infected drive at about 30+<br>
> GB, then after analyzing the drives before the copy it shows it<br>
> completely full.<br>
><br>
> Could not copy files from within Win2K to a newly formatted drive.<br>
> Tells me access denied. I tried it on two different drives to be sure<br>
> the one receiving data wasn't bad.<br>
><br>
> The really interesting thing is that when I put it in an XP box to copy<br>
> to another drive it infected XP during the boot/logon process. At the<br>
> first logon, the windows alert popped up telling me that the anti-virus<br>
> was not working. It was turned off and real-time scanning could not be<br>
> turned on. I tried this twice, with "pristine" installs of XP Pro with<br>
> Computer Associates Internet Security Suite installed and everything<br>
> completely up to date. I find this of note because I didn't think that<br>
> could happen. Least I've never seen it. I never accessed the infected<br>
> drive at all. The only way it was accessed is by the Windows O.S.<br>
> during the boot/logon process. As far as I know, the autorun feature is<br>
> now turned off by default in XP, though that shouldn't come into play<br>
> anyway, given that I never accessed the drive.<br>
><br>
> Ran the CA anti-virus, which worked even though the real-time was<br>
> disabled. Found several email/spam related worms: Win32/Sobig.B,<br>
> Sobig.E!Zip, Klez.H. Also found Win32/Magistr.29188 that I think is<br>
> more problematic. I'm guessing that the real culprit went undetected.<br>
><br>
> Any ideas? Mainly I want to know if this is something that warrants<br>
> further forensics before I wipe the drive, i.e., is this something new?<br>
> I can probably dd the partition, the boot sector, and the partition<br>
> table. If it stops Linux from doing that, then I'll really be<br>
> surprised. I plan to put the drive in a Linux box tomorrow and run<br>
> ClamAV on it. But, before I do that, I thought I'd see if anyone else<br>
> finds this case unique or interesting enough to save the evidence. If<br>
> anyone has some idea how a "data" drive can infect the OS drive without<br>
> anything running, I'd like to hear that too.<br>
><br>
> As always, thanks for your input.<br>
><br>
> Stan<br>
> _______________________________________________<br>
> linux-user mailing list<br>
> <a href="mailto:linux-user@egr.msu.edu">linux-user@egr.msu.edu</a><br>
> <a href="http://mailman.egr.msu.edu/mailman/listinfo/linux-user" target="_blank">http://mailman.egr.msu.edu/mailman/listinfo/linux-user</a><br>
><br>
<br>
_______________________________________________<br>
linux-user mailing list<br>
<a href="mailto:linux-user@egr.msu.edu">linux-user@egr.msu.edu</a><br>
<a href="http://mailman.egr.msu.edu/mailman/listinfo/linux-user" target="_blank">http://mailman.egr.msu.edu/mailman/listinfo/linux-user</a><br>
</div></div></blockquote></div><br>