|
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. -- [ Picked text/plain from multipart/alternative ] While the 400 isn't necessarily affected by the virus, it most certainly can be a "carrier" within the IFS. The beta version of next release of PentaSafe's remote access (exit point) management tool, RRM (Remote Request Management) has helped a beta customer pinpoint infected remote PC IP addresses within their 3500+ clients (whom they host apps for on their numerous AS/400s) and subsequently clean them up! Customer: "Hey folks this RRM 7.0 has been extremely useful in tracking down an infected remote PC IP propagating the Nimda virus". I followed-up to get more detail about how he used the product to do this... "The Nimda Virus propagates infected PC objects to the IFS. McAfee Virus scans on the IFS identified the infected objects and where they resided. By displaying an infected object's attributes I could identify the following information: Object Owner Last access date/time Data change data/time Attribute change data/time I then corrected the folder's authority to prevent further propagation. Once secured, I removed the object(s). This has proven to be successful in limiting the virus to those folders that *PUBLIC needs *RWX rights on. I then went to PentaSafe's RRM collected remote entries screen: - On the User Column, I keyed the 'Object Owner' profile for User. - I then chose to sort on the date/time column. - I then viewed the objects for entries with the > sign (indicates a specific object associated with the remote transaction). Server Func. Cmd. User Network Time Stamp FILE OPEN W RMTBANK47 101.252.438.55 2001/09/24.09:24 > This displayed the full IFS paths that the user machine was attempting to propagate the infected objects on. These object names matched the objects identified by McAfee. With the user profile and IP address identified, I then proceeded to contact my clients and have them take action on the physical machine at their end." Problem solved! Steven Martinson Product Marketing Manager, iSeries and AS/400 PentaSafe Security Technologies, Inc. http://www.pentasafe.com Toll Free: 1.888.400.2834, x9585 Direct Dial: 1.713.860.9585 -----Original Message----- From: thomas@inorbit.com [mailto:thomas@inorbit.com] Sent: Thursday, October 04, 2001 10:07 PM To: midrange-l@midrange.com Subject: RE: NIMDA Virus - Anyone been affected by it ? On Thu, 04 October 2001, "Joel R. Cochran" wrote: > "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 232 > "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 232 > "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 > "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 > <etc., etc.> I can't help but wonder what interesting results could come from creating directories such as '/scripts' or '/d/winnt/system32' on an AS/400 and populating them with objects named such as 'cmd.exe'. There's bound to be replies you could generate and send to these requests that would confuse the requester no end. Tom Liotta -- Tom Liotta The PowerTech Group, Inc. 19426 68th Avenue South Kent, WA 98032 Phone 253-872-7788 Fax 253-872-7904 http://www.400Security.com ___________________________________________________ The ALL NEW CS2000 from CompuServe Better! Faster! More Powerful! 250 FREE hours! Sign-on Now! http://www.compuserve.com/trycsrv/cs2000/webmail/ _______________________________________________ This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@midrange.com To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l or email: MIDRANGE-L-request@midrange.com Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.