[RESOLVED] Need advice regarding Nimda

[deh1217]

Hi,
WE run a small network. We use an NT 4.0 PDC which serves as a file/print
server and we have an NT 4.0 BDC which also has Exchange 5.5 so is our mail
server.
We also have a Windows 2000 advanced server which is a stand alone acting as
a Application server.

Now what happened was somebody brought thier laptop in and connected to the
network. She probably hasn't had this laptop in the office for 2 months.

I guess from the subject you can guess-this laptop infected our servers and
any shared workstation with the Nimda virus. (Interestingly enough although
I had monitor incoming and outgoing files the antivirus only picked this up
with a manual scan.).

Basically it through files all over the place esp .eml.

I went to Symantec and downloaded and applied the fix, taking machines off
the network to avoid reinfection.

I noticed though that rather than adding guest to administrators an account
named backdoor was created. (I deleted this account).

So it appears the infection was caught rather quickly. However I am scared
to death that someone may be able to access our servers now. According to
Symantec this could have compromised my security because the system couldve
been accessed by an outside user and they couldve done many things including
Installing remote connectivity host software.

I rescanned all systems and they are coming up clean.

Please could someone give me advice on where I go from now (such as any
Audits to implement, Accounts to look for, processes running in the
background to look for, etc).

Do I have to reinstall the operating systems? I really hope there is a workaround from doing this.

Any advice would be so greatly appreciated.

Thanks,
Dani

[jeremy_tosha]

my $0.02 is as follows:

1 - i would change any password that has admin rights

2 - i would look at the software loaded on the pc's and servers and scan for remote access software

3 - i would also look at the currently running services on the machines that were infected to make sure that there isn't any odd services running (i.e. virus, remote control, etc.)

4 - If all else fails and if fear is still in your eyes.....re-install

Hope this helps!!!!

------------------
Raven

Quote:
--------
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning."
Rich Cook.

[deh1217]

Hi,
Thank you for the reply. Like I said I am pretty sure the infection was picked up within an hour at the most. Email was never allowed to leave with it as an attachment either, so maybe for some reason even though the AV let it in it did not let it out via email.

So I am hoping it wasn't long enough to leak out information.

BTW this may be a dumb question but Once this virus infects the machine how does a hacker get a hold of the necessary information (IP address, account name and password information)? Since I don't believe this virus was targeted specifically for our company How does this work?

Looking for a better understanding.

Thanks again,
Dani