Announcement

Collapse
No announcement yet.

Conficker... some questions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Conficker... some questions

    Our network manager is try to fight an infection on our servers and clients of Conficker. I've been asked to help but we seem to be going round in circles.

    Some questions I have:

    1. If there are no rundll32's in the Process list in Task Manager then Conficker isn't running at that time?

    2. If you have an upto date anti virus installed (We use Sophos), when you reboot it shouldn't allow Conficker to start? Correct?

    3. Which is the most effective tool to remove Conficker?

    4. How does Conficker start after a reboot?

    5. If you install the Microsoft 958644 (or whatever it is) does this stop further infection? We had what we thought was a clean server, rebooted, ran full Sophos scan, installed the patch, rebooted, ran a full Sophos scan and it was found in the scan?

    6. Any other help or suggestions appreciated!

    Regards

    Chris
    Last edited by tonyyeb; 11th May 2009, 17:52.
    Server 2000 MCP
    Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

  • #2
    Re: Conficker... some questions

    Don't forget to do a full scan in safe mode
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Conficker... some questions

      Its probably getting reinfected by a compromised machine out in the network. Follow the directions here http://support.microsoft.com/kb/962007 and change all domain admin level passwords. From my understanding even if you are patched you can get reinfected if another compromised machine already has domain admin level credentials. Might want to look into OpenDNS, they played a major role in deflecting the severity of 04/01 scare. Plus they can tell you if DNS queries on your network are looking for home base.
      "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

      Comment


      • #4
        Re: Conficker... some questions

        Tony,

        Sweep your network with NMAP to detect the precense of the conflicker worm.
        The NMAP command would look something like this:

        nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 192.168.10.0/24

        Then unplug those machines and rescan if you like.
        After that please review: http://www.examiner.com/x-3945-Phoen...onflicker-worm
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Conficker... some questions

          You can follow this article to contain it and keep it from spreading while you clean it up. Note that this process does not remove it, it only contains it and keeps it from spreading. You still have to clean it from infected machines.

          http://support.microsoft.com/kb/962007

          Comment


          • #6
            Re: Conficker... some questions

            Originally posted by joeqwerty View Post
            You can follow this article to contain it and keep it from spreading while you clean it up. Note that this process does not remove it, it only contains it and keeps it from spreading. You still have to clean it from infected machines.

            http://support.microsoft.com/kb/962007
            keep scrolling down for the removal instructions
            "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

            Comment


            • #7
              Re: Conficker... some questions

              Hi guys. We have been work at this for a few days now and are making progress. As Marcel suggested we have been using NMAP which has been great. One by one we are getting back upto speed. By the end of the week we should have 50% up I would think (700 clients).

              Thanks for all the suggestions and support. It has all been useful.
              Server 2000 MCP
              Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

              Comment


              • #8
                Re: Conficker... some questions

                Originally posted by tonyyeb View Post
                Hi guys. We have been work at this for a few days now and are making progress. As Marcel suggested we have been using NMAP which has been great. One by one we are getting back upto speed. By the end of the week we should have 50% up I would think (700 clients).

                Thanks for all the suggestions and support. It has all been useful.
                You know the addresses. Awaiting delivery.

                Side question, how did it manage to slip into the network? It was my understanding that if you were patched up to October last year the flaw had been fixed. Was this a mutated variant?
                1 1 was a racehorse.
                2 2 was 1 2.
                1 1 1 1 race 1 day,
                2 2 1 1 2

                Comment


                • #9
                  Re: Conficker... some questions

                  You're welcome Tony.
                  NMAP is a nice tool huh?
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment

                  Working...
                  X