• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

virus/worm on NAS!! Help

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms

View previous topic :: View next topic  
Author Message
saeeddeep
Just Arrived
Just Arrived


Joined: 12 Oct 2008
Posts: 0


Offline

PostPosted: Mon Jun 01, 2009 3:46 pm    Post subject: virus/worm on NAS!! Help Reply with quote

Hi,
I've just fount out a lot of hidden files (exe, pif, cmd and inf files) on my WD NAS drive.
I have 3 winXP and 2 ubuntu connected to the NAS all running Avast free edition.
Avast does not discover those threads(hidden files) on the mounted NAS drive in real time, but when I run Avast SCAN on the mounted drive, Avast alerts comes up!!
from Ubuntu, I run ls -la command, here is a sample of the output:
drwxrwxr-x 9 user user 0 2009-05-31 16:39 .
drwxr-xr-x 6 root root 4096 2009-05-18 18:46 ..
-r--r--r-x 1 user user 171519 2009-05-31 16:17 aalmxv.pif
-r--r--r-x 1 user user 222207 2009-05-31 16:17 abtng.pif
-r--r--r-x 1 user user 222207 2009-05-31 16:17 acpip.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:15 afoi.cmd
-r--r--r-x 1 user user 222207 2009-05-31 16:09 afsxam.cmd
-r--r--r-x 1 user user 222207 2009-05-31 16:21 agcd.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:34 agsu.pif
-r--r--r-x 1 user user 222207 2009-05-31 16:21 aiyier.exe
-r--r--r-x 1 user user 171519 2009-05-31 14:09 akgh.cmd
-r--r--r-x 1 user user 222207 2009-05-31 15:58 alcdu.cmd
-r--r--r-x 1 user user 222207 2009-05-31 16:21 alwi.pif
-r--r--r-x 1 user user 222207 2009-05-31 16:22 amlplo.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:30 anudvn.pif
-r--r--r-x 1 user user 222207 2009-05-31 16:22 aoyia.exe
-r--r--r-x 1 user user 171519 2009-05-31 14:11 ascfum.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:28 asfng.pif
-r--r--r-x 1 user user 222207 2009-05-31 14:59 atsylv.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:36 auny.pif
-r--r--r-x 1 user user 312 2008-04-14 02:12 autorun.inf
-r--r--r-x 1 user user 222207 2009-05-31 15:00 awhmjr.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:30 awkwj.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:44 awpqsp.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:15 axqqdh.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:30 axwip.exe
drwxr-xr-x 3 user user 0 2008-07-20 14:25 directory
-r--r--r-x 1 user user 171519 2009-05-31 13:38 bblbr.exe
-r--r--r-x 1 user user 171519 2009-05-31 13:59 bblmi.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:59 bcwvle.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:07 bebndc.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:58 bfoud.cmd
-r--r--r-x 1 user user 222207 2009-05-31 15:36 bhnhvv.pif
-r--r--r-x 1 user user 171519 2009-05-31 13:32 biyp.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:17 bjhd.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:00 bkjur.exe
-r--r--r-x 1 user user 171519 2009-05-31 14:16 blfo.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:28 blouo.exe
-r--r--r-x 1 user user 171519 2009-05-31 14:03 bmetf.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:22 bmqwd.pif
-r--r--r-x 1 user user 222207 2009-05-31 14:35 borqgi.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:55 bovgj.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:24 bpbbpm.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:51 bqbsey.pif
-r--r--r-x 1 user user 222207 2009-05-31 14:40 bqck.cmd
-r--r--r-x 1 user user 222207 2009-05-31 14:56 brxg.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:06 bsbjk.cmd
-r--r--r-x 1 user user 171519 2009-05-31 14:27 bsjpar.pif
-r--r--r-x 1 user user 222207 2009-05-31 14:59 ccqnh.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:16 cdqd.exe
-r--r--r-x 1 user user 222207 2009-05-31 14:47 ceqmv.exe
-r--r--r-x 1 user user 222207 2009-05-31 14:46 cflp.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:39 cfvbg.pif
-r--r--r-x 1 user user 171519 2009-05-31 13:44 cgima.cmd
-r--r--r-x 1 user user 222207 2009-05-31 15:15 cgod.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:32 chnmtt.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:28 ciixqy.cmd
-r--r--r-x 1 user user 222207 2009-05-31 15:21 cjejv.pif
-r--r--r-x 1 user user 222207 2009-05-31 16:33 ckhjjf.pif
-r--r--r-x 1 user user 171519 2009-05-31 13:50 ckjqvw.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:14 clubo.cmd
-r--r--r-x 1 user user 171519 2009-05-31 13:59 cmhwqk.cmd
-r--r--r-x 1 user user 222207 2009-05-31 16:29 cmtdgm.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:13 cnis.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:46 cpjfkb.exe
-r--r--r-x 1 user user 222207 2009-05-31 14:56 cqab.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:32 cqljs.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:18 cqsl.exe
-r--r--r-x 1 user user 171519 2009-05-31 13:51 crghd.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:27 crwuk.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:31 cuetg.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:51 cvkqvm.exe
-r--r--r-x 1 user user 171519 2009-05-31 13:40 cxxklx.exe
-r--r--r-x 1 user user 171519 2009-05-31 13:45 cygh.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:31 cyhmj.pif
-r--r--r-x 1 user user 222207 2009-05-31 14:39 cyods.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:52 cyqx.cmd
-r--r--r-x 1 user user 171519 2009-05-31 14:06 dafxic.exe
-r--r--r-x 1 user user 171519 2009-05-31 13:39 daqdvx.pif
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
=====Not all listed, it's a very long list of files !!=========
anyway, I run:
$ sudo chmod 777 *.*
$ rm -f *.*
then I see the NAS is clear for few second,
But, those files come back again one by one and I see the first file appears is "autorun.inf".
Removing those files manually, does not prevent them to popup again!
here I want to know:
1- what is the right way to solve this problem.
"should I shutdown the network, perform a full scan on all windows and ubuntu PCs, then make a scan on the mounted NAS drive from ubuntu or XP"
waiting for a reply ... thanks in advance.
Back to top
View user's profile Send private message
heba
Just Arrived
Just Arrived


Joined: 09 Jan 2006
Posts: 4
Location: Cremona (Italy)

Offline

PostPosted: Mon Jun 01, 2009 4:33 pm    Post subject: Reply with quote

hi,
excuse me, have you a double os, please?
Back to top
View user's profile Send private message
saeeddeep
Just Arrived
Just Arrived


Joined: 12 Oct 2008
Posts: 0


Offline

PostPosted: Mon Jun 01, 2009 7:55 pm    Post subject: Thanks for your reply Reply with quote

yes, I have a simple home network.
3 windows XP and 2 Ubuntu PCs connected to a 3COM switch to a TP-Link DSL router.
and WD NAS(Network Attached Storage) attached to the 3COM switch.
NAS shared folder is mounted on Ubuntu and Mapped on windows.
all users have RW permissions on the NAS shared folder.
I hope it's some quite clear. Thanks
Back to top
View user's profile Send private message
heba
Just Arrived
Just Arrived


Joined: 09 Jan 2006
Posts: 4
Location: Cremona (Italy)

Offline

PostPosted: Tue Jun 02, 2009 8:51 am    Post subject: Reply with quote

then, you can try to run off about the network the user infected. So you limited the infection at that user and not other or all network.

If the file continue to appear also if you eliminate them, it's because the real problem, the real malware is not erase.
So you eliminate the problem files but not the malware, you must find the file malware and erase it.

It's useless if you purge the system from Ubuntu, you must erase the file and the malware in Windows, directly from the machine infected.

Use HiJackThis, can more possibility to view the real problem and the malware file to erase correctly.

Finally, when you purge this machine before reinstall in your network, you check the other machine to control the malware is not pass in other pc, in a network is possible that if one pc is infected can pass from pc to pc.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register