[GLLUG] Server Infection Question

Karl Schuttler rexykik at gmail.com
Tue May 5 19:34:48 EDT 2009 

Sounds like a typical exploit to me; malware propagation across drives
is pretty common now. If I recall, MS screwed up when they disabled
autorun and specified the wrong registry key. You might consider doing
it manually through the registry on a clean box, which might fix your
issue.

ClamAV on linux was the first thing that came to my mind. If it
infects your live linux system, I'd like to know; I haven't heard of
anything that does that.

On Tue, May 5, 2009 at 4:14 PM, Stanley C. Mortel <mortel at cyber-nos.com> wrote:
> I have a client with a compromised server.  Not unusual for MS, but this
> one I find interesting.  Here are some details:
>
> 40 GB hard drive, single partition.  Windows 2000 server, fully
> patched.  History of out of date AV software.  Has Norton on it.  System
> getting slower and slower, locking up, blue screen......yada, yada,
> yada.  Entire network crawling.  History of getting blacklisted for spam.
>
> Would not let me copy the partition using Acronis.  Said Not enough
> space on drive even though I was copying from a 40 GB partition to a 120
> GB drive.  When Acronis starts, it show the infected drive at about 30+
> GB, then after analyzing the drives before the copy it shows it
> completely full.
>
> Could not copy files from within Win2K to a newly formatted drive.
> Tells me access denied.  I tried it on two different drives to be sure
> the one receiving data wasn't bad.
>
> The really interesting thing is that when I put it in an XP box to copy
> to another drive it infected XP during the boot/logon process.  At the
> first logon, the windows alert popped up telling me that the anti-virus
> was not working.  It was turned off and real-time scanning could not be
> turned on.  I tried this twice, with "pristine" installs of XP Pro with
> Computer Associates Internet Security Suite installed and everything
> completely up to date.  I find this of note because I didn't think that
> could happen.  Least I've never seen it.  I never accessed the infected
> drive at all.  The only way it was accessed is by the Windows O.S.
> during the boot/logon process.  As far as I know, the autorun feature is
> now turned off by default in XP, though that shouldn't come into play
> anyway, given that I never accessed the drive.
>
> Ran the CA anti-virus, which worked even though the real-time was
> disabled.  Found several email/spam related worms:  Win32/Sobig.B,
> Sobig.E!Zip, Klez.H.  Also found Win32/Magistr.29188 that I think is
> more problematic.  I'm guessing that the real culprit went undetected.
>
> Any ideas?  Mainly I want to know if this is something that warrants
> further forensics before I wipe the drive, i.e., is this something new?
> I can probably dd the partition, the boot sector, and the partition
> table.  If it stops Linux from doing that, then I'll really be
> surprised.  I plan to put the drive in a Linux box tomorrow and run
> ClamAV on it.  But, before I do that, I thought I'd see if anyone else
> finds this case unique or interesting enough to save the evidence.  If
> anyone has some idea how a "data" drive can infect the OS drive without
> anything running, I'd like to hear that too.
>
> As always, thanks for your input.
>
> Stan
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://mailman.egr.msu.edu/mailman/listinfo/linux-user
>

More information about the linux-user mailing list