Topic: Ibays attacked by Worm.Brontok.AF

[the-heck]

I know this may not be an SME issue, but I got nowhere else to look for solution.

All my Ibays are infected by the Worm.Brontok.AF.  And Clamav is putting all files in quarantine, but still the worm continue to populate.

Any help will be appreciated.

[janet]

the-heck

A quickie general procedure

Disconnect server from Internet
Disconnect all workstations from network/server
Run virus scan on one workstation and confirm it has no virues, if it does clean the workstation first.
Reconnect the one clean workstation to the server
Run a virus scan on the ibays, and clean all viruses
Run virus scans on all other workstations in standalone mode ie not connected to network, and clean any viriuses if present.
Run a full scan on the server using clamscan, or schedule a full scan manually in /etc/cron.d/..

Exactly where you go from there depends on how successful all the above has been etc.
When everything is clean reconnect workstations one by one

[mmccarn]

Three more points:

* From past posts you should examine any contribs you have installed, in case one of them contains a security issue.  PHP has been mentioned as a true security "challenge"...

* Examine any configuration changes you have made to your SME server that might affect network security, such as password-enabled ssh access, creating "0.0.0.0/0" as a "local network", allowing full read/write access to your ibays from the Internet for 'everyone', etc, etc...

* Also from past posts, and from the bold text at the top of each form post page - if you do begin to suspect a SME security issue, DON'T POST IT HERE. -- email it to security at contribs dot org...

[Stefano]

this is not a SME issue..

Worm.Win32.Brontok.q is Windows worm that spreads by email and shared folders.

Aliase names:

ClamAV: Worm.Brontok.AF

check all your clients..

HTH
ciao

Stefano

[cactus]

Three more points:

* From past posts you should examine any contribs you have installed, in case one of them contains a security issue.  PHP has been mentioned as a true security "challenge"...

* Examine any configuration changes you have made to your SME server that might affect network security, such as password-enabled ssh access, creating "0.0.0.0/0" as a "local network", allowing full read/write access to your ibays from the Internet for 'everyone', etc, etc...

* Also from past posts, and from the bold text at the top of each form post page - if you do begin to suspect a SME security issue, DON'T POST IT HERE. -- email it to security at contribs dot org...

Having an infected file system in this case it most likely due to samba shares and not by a security leak. This is a Winodws worm which, most likely, will not be off harm to OP's linux system, but might harm the windows workstations connected to it. Find the infected system(s), isolate them, clean them and clean your server and you should be fine.

[arne]

I guess that this worm is spreading because there is some PC's or some other equipment that is infected that does not have a proper virus protection. As it continous to spread it must spread from somewhere. Worms in general, can also spread from storage medias like external harrdisks and USB memories. (But dont know if this one can.)

Some info I found: http://www.virusbuster.hu/en/viruslab/descriptions/brontok.cu

I guess it is not likely to believe that the worm spreads from the Samba shares, if "spread "means activly running the processes that belongs to the Worm. (But you never know ..) Still it could be an option that the worm is stored and spread passivly like "dead datas" via the Samba shares, to then be activated as a worm at the users client.

As I understand it the way that the SME server has no way of actively preventing a Windows worm from entering from a Samba share to a Windows client. I guess that if there is some contimanation surce somewhere, the attacs will continue to come.

I guess it it would be a good idea to enable the file system scanner via the server-manager panel to scan the system on daily basis, so that worms that eventualy is stored passively as "datas" will be deleted.

I also guess it will be of importance to identify the source where the infected mails are comming from, if it is spread via mail. It also might be an idea to identify which ibay that has worms and who is using this ibay.