View previous topic :: View next topic |
Author |
Message |
saeeddeep Just Arrived
Joined: 12 Oct 2008 Posts: 0
|
Posted: Mon Jun 01, 2009 3:46 pm Post subject: virus/worm on NAS!! Help |
|
|
Hi,
I've just fount out a lot of hidden files (exe, pif, cmd and inf files) on my WD NAS drive.
I have 3 winXP and 2 ubuntu connected to the NAS all running Avast free edition.
Avast does not discover those threads(hidden files) on the mounted NAS drive in real time, but when I run Avast SCAN on the mounted drive, Avast alerts comes up!!
from Ubuntu, I run ls -la command, here is a sample of the output:
drwxrwxr-x 9 user user 0 2009-05-31 16:39 .
drwxr-xr-x 6 root root 4096 2009-05-18 18:46 ..
-r--r--r-x 1 user user 171519 2009-05-31 16:17 aalmxv.pif
-r--r--r-x 1 user user 222207 2009-05-31 16:17 abtng.pif
-r--r--r-x 1 user user 222207 2009-05-31 16:17 acpip.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:15 afoi.cmd
-r--r--r-x 1 user user 222207 2009-05-31 16:09 afsxam.cmd
-r--r--r-x 1 user user 222207 2009-05-31 16:21 agcd.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:34 agsu.pif
-r--r--r-x 1 user user 222207 2009-05-31 16:21 aiyier.exe
-r--r--r-x 1 user user 171519 2009-05-31 14:09 akgh.cmd
-r--r--r-x 1 user user 222207 2009-05-31 15:58 alcdu.cmd
-r--r--r-x 1 user user 222207 2009-05-31 16:21 alwi.pif
-r--r--r-x 1 user user 222207 2009-05-31 16:22 amlplo.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:30 anudvn.pif
-r--r--r-x 1 user user 222207 2009-05-31 16:22 aoyia.exe
-r--r--r-x 1 user user 171519 2009-05-31 14:11 ascfum.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:28 asfng.pif
-r--r--r-x 1 user user 222207 2009-05-31 14:59 atsylv.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:36 auny.pif
-r--r--r-x 1 user user 312 2008-04-14 02:12 autorun.inf
-r--r--r-x 1 user user 222207 2009-05-31 15:00 awhmjr.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:30 awkwj.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:44 awpqsp.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:15 axqqdh.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:30 axwip.exe
drwxr-xr-x 3 user user 0 2008-07-20 14:25 directory
-r--r--r-x 1 user user 171519 2009-05-31 13:38 bblbr.exe
-r--r--r-x 1 user user 171519 2009-05-31 13:59 bblmi.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:59 bcwvle.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:07 bebndc.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:58 bfoud.cmd
-r--r--r-x 1 user user 222207 2009-05-31 15:36 bhnhvv.pif
-r--r--r-x 1 user user 171519 2009-05-31 13:32 biyp.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:17 bjhd.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:00 bkjur.exe
-r--r--r-x 1 user user 171519 2009-05-31 14:16 blfo.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:28 blouo.exe
-r--r--r-x 1 user user 171519 2009-05-31 14:03 bmetf.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:22 bmqwd.pif
-r--r--r-x 1 user user 222207 2009-05-31 14:35 borqgi.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:55 bovgj.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:24 bpbbpm.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:51 bqbsey.pif
-r--r--r-x 1 user user 222207 2009-05-31 14:40 bqck.cmd
-r--r--r-x 1 user user 222207 2009-05-31 14:56 brxg.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:06 bsbjk.cmd
-r--r--r-x 1 user user 171519 2009-05-31 14:27 bsjpar.pif
-r--r--r-x 1 user user 222207 2009-05-31 14:59 ccqnh.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:16 cdqd.exe
-r--r--r-x 1 user user 222207 2009-05-31 14:47 ceqmv.exe
-r--r--r-x 1 user user 222207 2009-05-31 14:46 cflp.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:39 cfvbg.pif
-r--r--r-x 1 user user 171519 2009-05-31 13:44 cgima.cmd
-r--r--r-x 1 user user 222207 2009-05-31 15:15 cgod.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:32 chnmtt.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:28 ciixqy.cmd
-r--r--r-x 1 user user 222207 2009-05-31 15:21 cjejv.pif
-r--r--r-x 1 user user 222207 2009-05-31 16:33 ckhjjf.pif
-r--r--r-x 1 user user 171519 2009-05-31 13:50 ckjqvw.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:14 clubo.cmd
-r--r--r-x 1 user user 171519 2009-05-31 13:59 cmhwqk.cmd
-r--r--r-x 1 user user 222207 2009-05-31 16:29 cmtdgm.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:13 cnis.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:46 cpjfkb.exe
-r--r--r-x 1 user user 222207 2009-05-31 14:56 cqab.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:32 cqljs.pif
-r--r--r-x 1 user user 171519 2009-05-31 14:18 cqsl.exe
-r--r--r-x 1 user user 171519 2009-05-31 13:51 crghd.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:27 crwuk.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:31 cuetg.pif
-r--r--r-x 1 user user 222207 2009-05-31 15:51 cvkqvm.exe
-r--r--r-x 1 user user 171519 2009-05-31 13:40 cxxklx.exe
-r--r--r-x 1 user user 171519 2009-05-31 13:45 cygh.exe
-r--r--r-x 1 user user 222207 2009-05-31 16:31 cyhmj.pif
-r--r--r-x 1 user user 222207 2009-05-31 14:39 cyods.exe
-r--r--r-x 1 user user 222207 2009-05-31 15:52 cyqx.cmd
-r--r--r-x 1 user user 171519 2009-05-31 14:06 dafxic.exe
-r--r--r-x 1 user user 171519 2009-05-31 13:39 daqdvx.pif
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
=====Not all listed, it's a very long list of files !!=========
anyway, I run:
$ sudo chmod 777 *.*
$ rm -f *.*
then I see the NAS is clear for few second,
But, those files come back again one by one and I see the first file appears is "autorun.inf".
Removing those files manually, does not prevent them to popup again!
here I want to know:
1- what is the right way to solve this problem.
"should I shutdown the network, perform a full scan on all windows and ubuntu PCs, then make a scan on the mounted NAS drive from ubuntu or XP"
waiting for a reply ... thanks in advance.
|
|
Back to top |
|
|
heba Just Arrived
Joined: 09 Jan 2006 Posts: 4 Location: Cremona (Italy)
|
Posted: Mon Jun 01, 2009 4:33 pm Post subject: |
|
|
hi,
excuse me, have you a double os, please?
|
|
Back to top |
|
|
saeeddeep Just Arrived
Joined: 12 Oct 2008 Posts: 0
|
Posted: Mon Jun 01, 2009 7:55 pm Post subject: Thanks for your reply |
|
|
yes, I have a simple home network.
3 windows XP and 2 Ubuntu PCs connected to a 3COM switch to a TP-Link DSL router.
and WD NAS(Network Attached Storage) attached to the 3COM switch.
NAS shared folder is mounted on Ubuntu and Mapped on windows.
all users have RW permissions on the NAS shared folder.
I hope it's some quite clear. Thanks
|
|
Back to top |
|
|
heba Just Arrived
Joined: 09 Jan 2006 Posts: 4 Location: Cremona (Italy)
|
Posted: Tue Jun 02, 2009 8:51 am Post subject: |
|
|
then, you can try to run off about the network the user infected. So you limited the infection at that user and not other or all network.
If the file continue to appear also if you eliminate them, it's because the real problem, the real malware is not erase.
So you eliminate the problem files but not the malware, you must find the file malware and erase it.
It's useless if you purge the system from Ubuntu, you must erase the file and the malware in Windows, directly from the machine infected.
Use HiJackThis, can more possibility to view the real problem and the malware file to erase correctly.
Finally, when you purge this machine before reinstall in your network, you check the other machine to control the malware is not pass in other pc, in a network is possible that if one pc is infected can pass from pc to pc.
|
|
Back to top |
|
|
|