Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Shaun E on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Samba & Nimda Please Help

Status
Not open for further replies.
natemclain

natemclain

Technical User
Jun 19, 2001
68
US
Hey guys & gals,

I have a situation that is really kind bizarre.
I have 15 workstations(windows 2000 pro) that are on a tcp/ip network with a Redhat fileserver running samba. The problem is that the samba file server keeps getting nimda like emails on the samba file server and the files are coming from somewhere on the network but I can't figure out where. All the workstations have been updated and patches installed and the latest virus definitions installed. But I can't track down where this is coming from. Is there away I can find out where the files are coming from on the fileserver? I mean it slows teh network down with all the files and scanning on the network and shuts us totally down. Does anyone have any ideas??

Nate
 
Sort by date Sort by votes
Hi,

Not sure I quite understand what you mean. Samba just provides file-server functionality and has got nothing to do with email. If files on the server shares are being infected thats as a result of the client's W2K PC's having the virus and the W2K user having write access to (samba) shares. In this context its irrelevant as to whether its a samba server or a 'real' NT/W2K server.

Where do the users get their email ? - From M$/Exchange or is that linux box also used as a mail server ? If so, what is it running - e.g. sendmail ?

Regards
 
Upvote 0 Downvote
The email comes from a Win2K server running MailMax 4.0
I realize that samba is just a file sharing portal. But I can't figure out where the files are coming from. But this Redhat server only acts as a file server. Do you know what else I need to do so that Nimda is gone? I mean I have ran the Nimda Removal Tool from Symantec and updated all the workstations and the removal tool says that none of the workstations have the virus and my boss is saying that it has to be on the redhat server but i have told him that a workstation is putting the .eml files on the fileserver from one of the workstations. To bad I cant find out which workstation is doing it.

Nate
 
Upvote 0 Downvote
Nimda has its own smtp engine.
Very dangerous virus. We had a very bad infestation here,
so I sympathize.
The email messages are indicative of an infected host and
they will be sent to any open file share.
machines are reinfected when a vulnerable MS mail agent
(outlook express) is installed on the host browsing the share.. this is the MIME exploit menioned in the advisories.

There was a fix posted at that was very
good, much superior to any other fix I have used. I suggest you pick this up and run it on every machine if you have not already.

Our method was extreme:
Since there are only two of us for 200+ windows hosts,
and since our patch levels are haphazard, we decided:

1) Password protect all smb file shares. This is a necessity.
2) remove outlook express executable(msimn.exe) from
all machines located in a MS file sharing environment.
We replaced it with a minimal ascii client and patched
our mail servers using amavis and an antivirus engine.
3)Disable downloads through IE(a vulnerable browser will
facilitate this MIME exploit,but not if downloads are disabled).
This took a weekend.
After all of this we have had no trouble from NIMDA;-)

As far as interdicting the malicious traffic:
run tcpdump against your src net dst smbhost tcp ports
137-139, and watch for connects. You should see some
pattern emerge.
Another suggestions is to run:

while :
do
smbstatus -d
sleep 10s
clear
done

On one tty of the samba host, or send it to >> /dev/tty9,
and watch the connects.
 
Upvote 0 Downvote
Is there any good UNIX or LINUX based email scanning software with the capability to filter virus payloads, I only ask because I am thinking of routing mail through my Linux firewall before passing it on to my NT client. (instead of working it through the NT server, with it's can'o'worms OS)

I appreciate Linux is much more stable than NT

Does samba support File Ownership? (should do like NT) you might be able to determine the culprit checking that way, or try narrowing it down? failing aught else, you could disconnect all the machines and reconnect them one by one, monitoring for those darned files? I know its the long way round.

You could perhaps check by monitoring the network traffic, when we had the virus it created in excess of 25,000 .eml files, which could mean an awful lot of network traffic, at least a lot of disk writes.

Lastly, I don't think anybody mentioned that there may be multiple machines compromised, confusing attempts to root out the culprit(s).

Hope this can help, at least throw a few ideas your way. Admittedly, when we were infected with Nimda I ended up reinstalling the server - luckily not too much relied on it....

Lastly, one site which seems to know a lot about Nimda is it has helped me alot.

best o luck
hope it helps
Tels

:cool:
for pint$ = 1 to 20
for pint$ = pint$ + 1
if pint$ = 20 goto HOME
next pint$
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Krus1972
  • Locked
  • Question
Rewrite Rule for .htaccess Help
Replies
0
Views
496
Krus1972
Krus1972
gregor weertman
  • Locked
  • Question
set samba "template shell" dependent on group
Replies
0
Views
357
gregor weertman
gregor weertman
harro1968
  • Locked
  • Question
Help with ProxyPass
Replies
0
Views
304
harro1968
harro1968
mjj4golf2
  • Locked
  • Question
Help with setting up a media server
Replies
2
Views
444
vacunita
vacunita
daniel.warner
  • Locked
  • Question
Desperately need help setting up wildcard certs on Apache/Tomcat
Replies
2
Views
499
daniel.warner
daniel.warner

Part and Inventory Search

Sponsor

Back
Top