System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Virus infection found in HPUX samba shares

 
SOLVED
Go to solution
senthil_kumar_1
Super Advisor

Virus infection found in HPUX samba shares

Hi All,

We are using HPUX 11.00 and some directories are being shared thru samba.

Recently the Risk "W32.Topion.B" infected Desktop (winxp), due to that some windows share and Unix share (samba) have been affected.


The infection is it will create the two files "Autorun.inf" and "fun.xls.exe" in parent directory of share folder and it will create the file .exe for all the folders available in shares.

For example:

we are having one HPUX share "\\10.0.0.198\ite\" (samba share name).

This share has following folders.

soft
hard
production
manufacturing

After infection the share "\\10.0.0.198\ite\" contain following files and folders.

Autorun.inf
fun.xls.exe
soft
soft.exe
hard
hard.exe
production
production.exe
manufacturing
manufacturing.exe

I need some solution for my below qutions:

1) How to creat a script to send mail automatically immediately after geting infected like above?

2)or how ot monitor samba share in symantec for the finding the infections automatically.
And control the infections.








5 REPLIES
Pete Randall
Outstanding Contributor
Solution

Re: Virus infection found in HPUX samba shares

>> 1) How to creat a script to send mail automatically immediately after geting infected like above?

How did you find out that you were infected? Whatever process discovered the infection is the process that need to be scripted. You could also set up a cron jab that would search the samba shared using the find command (find /samba/share -name *.exe -o -name *.inf) but that's pretty crude.

>> 2)or how ot monitor samba share in symantec for the finding the infections automatically.

Since this is a HP-UX forum and, as far as I know, Symantec does not offer its AV software for HP-UX, I would think you would have to ask Symantec that one.


Pete

Pete
Rita C Workman
Honored Contributor

Re: Virus infection found in HPUX samba shares

Your infection started from some Windows PC on your network. Taking after the fact measures will not protect you. If it finds a file there to clean up then - you're already hit!

You need to start as to how the virus got on the PC in the first place.
You need to ensure that virus protection is being done regularly and being pushed out to all your Windows servers/PC's on a timely basis.
And you to ensure that the staff understands they should not be downloading things to their work PC, nor putting suspect CD's, USB devices, or any attachments from email.

Pro-active is the only way!

Kindest regards,
Rita
OldSchool
Honored Contributor

Re: Virus infection found in HPUX samba shares

the fact that it is shared from hpux via samba has no bearing on the issue.

the virus noted came from the Windows side of the operation. you need to set up your antivirus *there* and set it up so it can "see" the shared drive and "fix" it.

1) Anything you come up with internally that looks for those files will only "catch" that specific virus.

2) This is usually done by placing the AV software on any PC that accesses the share.

And in today's world, basically every PC that is connected in any way to any network should have AV software installed and operating. There are just too many different ways to get a virus, such as e-mail, downloaded files, another pc on the network gets infected and so on.

basically this ISNT an Unix problem, its a Windows issue, and thats where it needs to be addressed.
Court Campbell
Honored Contributor

Re: Virus infection found in HPUX samba shares

well if this was 11.23 or 11.31 I would say that you could install clamav and run scans on the folders. I agree with the others on this, but you might be able to find a virus scanner for 11.00 that will scan the files and take whatever actions you define.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Torsten.
Acclaimed Contributor

Re: Virus infection found in HPUX samba shares

If you read the details about this worm you will see that removing these files will not help at all - you need to clean the PC!

Keep in mind that the hp-ux server just stores every file that comes from your PCs - regardless what it is.

As long as the PCs are infected they will try to distribute the worm (this is the nature of that worms).


http://www.symantec.com/security_response/writeup.jsp?docid=2009-071102-4352-99&tabid=2

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.

__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!