[GLLUG] Server Infection Question

Richard Houser rick at divinesymphony.net
Tue May 5 20:56:15 EDT 2009 

When you mount that partition on Linux, use the "noexec" option for added
security.  It's a nice trick for user directories when you really need to
lock something down, too.  In theory (although unlikely), that machine could
have a few Linux exploits sitting around, too.

On Tue, May 5, 2009 at 7:34 PM, Karl Schuttler <rexykik at gmail.com> wrote:

> Sounds like a typical exploit to me; malware propagation across drives
> is pretty common now. If I recall, MS screwed up when they disabled
> autorun and specified the wrong registry key. You might consider doing
> it manually through the registry on a clean box, which might fix your
> issue.
>
> ClamAV on linux was the first thing that came to my mind. If it
> infects your live linux system, I'd like to know; I haven't heard of
> anything that does that.
>
> On Tue, May 5, 2009 at 4:14 PM, Stanley C. Mortel <mortel at cyber-nos.com>
> wrote:
> > I have a client with a compromised server.  Not unusual for MS, but this
> > one I find interesting.  Here are some details:
> >
> > 40 GB hard drive, single partition.  Windows 2000 server, fully
> > patched.  History of out of date AV software.  Has Norton on it.  System
> > getting slower and slower, locking up, blue screen......yada, yada,
> > yada.  Entire network crawling.  History of getting blacklisted for spam.
> >
> > Would not let me copy the partition using Acronis.  Said Not enough
> > space on drive even though I was copying from a 40 GB partition to a 120
> > GB drive.  When Acronis starts, it show the infected drive at about 30+
> > GB, then after analyzing the drives before the copy it shows it
> > completely full.
> >
> > Could not copy files from within Win2K to a newly formatted drive.
> > Tells me access denied.  I tried it on two different drives to be sure
> > the one receiving data wasn't bad.
> >
> > The really interesting thing is that when I put it in an XP box to copy
> > to another drive it infected XP during the boot/logon process.  At the
> > first logon, the windows alert popped up telling me that the anti-virus
> > was not working.  It was turned off and real-time scanning could not be
> > turned on.  I tried this twice, with "pristine" installs of XP Pro with
> > Computer Associates Internet Security Suite installed and everything
> > completely up to date.  I find this of note because I didn't think that
> > could happen.  Least I've never seen it.  I never accessed the infected
> > drive at all.  The only way it was accessed is by the Windows O.S.
> > during the boot/logon process.  As far as I know, the autorun feature is
> > now turned off by default in XP, though that shouldn't come into play
> > anyway, given that I never accessed the drive.
> >
> > Ran the CA anti-virus, which worked even though the real-time was
> > disabled.  Found several email/spam related worms:  Win32/Sobig.B,
> > Sobig.E!Zip, Klez.H.  Also found Win32/Magistr.29188 that I think is
> > more problematic.  I'm guessing that the real culprit went undetected.
> >
> > Any ideas?  Mainly I want to know if this is something that warrants
> > further forensics before I wipe the drive, i.e., is this something new?
> > I can probably dd the partition, the boot sector, and the partition
> > table.  If it stops Linux from doing that, then I'll really be
> > surprised.  I plan to put the drive in a Linux box tomorrow and run
> > ClamAV on it.  But, before I do that, I thought I'd see if anyone else
> > finds this case unique or interesting enough to save the evidence.  If
> > anyone has some idea how a "data" drive can infect the OS drive without
> > anything running, I'd like to hear that too.
> >
> > As always, thanks for your input.
> >
> > Stan
> > _______________________________________________
> > linux-user mailing list
> > linux-user at egr.msu.edu
> > http://mailman.egr.msu.edu/mailman/listinfo/linux-user
> >
>
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://mailman.egr.msu.edu/mailman/listinfo/linux-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.egr.msu.edu/mailman/public/linux-user/attachments/20090505/c465a5eb/attachment.html

More information about the linux-user mailing list