[plug] Nasty windows viruses (somewhat on topic, really!)
Cameron Patrick
cameron at patrick.wattle.id.au
Tue Jul 13 17:03:22 WST 2004
Scott Middleton wrote:
> > <Linux content>
> > So what I really want to know is, how can I find out what files it was
> > poking around in and for how long it's been going on (presumably by
> > looking at Samba logs, but I can't find anything equivalent to ftpd's
> > xferlog or apache's access.log)?
> > </Linux content>
> >
> Excerpt from my samba.conf file
> log level = 3
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 1000
Ahh, I don't seem "log level = 3" in mine and have only logs of what
machine connected to what services in the logs you mentioned.
Fortunately the machine seems to have been "only" infected since
yesterday.
> For me it depends on what FS is used. If it is FAT then i remove the HDD
> and mount on a linux system using my USB 2.0 Caddy and scan using
> UVSCAN. If it is NTFS I use BartPE which is a Windows LiveCD with NTFS
> write support. BartPE has support for mcafee as well. OK its not really
> Linux but it works really well and is easy to use.
It's NTFS. I'll give BartPE a shot.
> Look for shared directories and copy itself to them. It is not uncommon
> for people to share their entire C drive. Put itself into random files
> that may be executed by another user. So on.
Urgh. Yuck. I have a whole bunch of Windows executables in one share
that's writable without a password, will check over that...
Cameron.
More information about the plug
mailing list