[plug] Nasty windows viruses (somewhat on topic, really!)

Scott Middleton scott at linuxit.com.au
Tue Jul 13 13:33:53 WST 2004 

On Tue, 2004-07-13 at 12:27, Cameron Patrick wrote:
> Hi,
> 
> I recently noticed high CPU usage and network traffic to my desktop at
> home without any good reason.  Tcpdump showed lots of Samba traffic to
> my brother's machine, and said brother couldn't think of a good reason
> why.  I suspect a Windows virus or trojan or some such, but am at a
> loss with regards to what to do about it.  I've shut down Samba on my
> machine and the server (because they allow passwordless write access
> to a lot of stuff that they really really shouldn't -- I will fix this
> before turning Samba back on) and have removed network access from my
> brother's machine for now.
> 
> <Linux content>
> So what I really want to know is, how can I find out what files it was
> poking around in and for how long it's been going on (presumably by
> looking at Samba logs, but I can't find anything equivalent to ftpd's
> xferlog or apache's access.log)?
> </Linux content>
> 
Excerpt from my samba.conf file
        log level = 3
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000


tail /var/log/samba/log.winxp 
I used my test XP workstation to access a share and open up an image
there. There is a lot of gibberish but you will see lines like this.
 linuxit opened file Truth_zoom.jpg read=Yes write=No (numopen=3)
 linuxit closed file Truth_zoom.jpg (numopen=2)

Linuxit is the name off the user that accessed the files. Also look for
the user nobody.

> <maybe Linux content>
> How can I find out what the infected machine was running?  Should I
> use a Linux-based virus scanner to inspect it off a Linux boot disc?
> Alternatively, what are good Windows virus scanners?  Is there a
> better of cleaning up any infections than backing up anything
> important, wiping the whole disc (and installing Linux on there :-P)?
> </maybe Linux content>
> 
For me it depends on what FS is used. If it is FAT then i remove the HDD
and mount on a linux system using my USB 2.0 Caddy and scan using
UVSCAN. If it is NTFS I use BartPE which is a Windows LiveCD with NTFS
write support. BartPE has support for mcafee as well. OK its not really
Linux but it works really well and is easy to use.

> <non-Linux content>
> What do Windows viruses/trojans do to machines over SMB? Is this
> machine also likely to have been sending out spam too?
> </non-Linux content>
> 
Look for shared directories and copy itself to them. It is not uncommon
for people to share their entire C drive. Put itself into random files
that may be executed by another user. So on.

Kind Regards

-- 
Scott Middleton <scott at linuxit.com.au>
Linux Information Technology

More information about the plug mailing list