I am doing some digging thru my file system on my server and I am finding all of these .EML files through out the server. Did I get hacked or is this a virus??? And how do I get rid of this and what possibly could have been the hole to get in???

Thanks

hehe.... .eml....NIMDA !!

all the .eml reminds me of the NIMDA virus...i had it once, was a pain in the butt to finally get the steps down to running the symantec file because if you rebooted without doing something then they would just replicate again then you had to start over...heh

yea, but this is on a Cobalt server. I thought that was a M$ virus

yep it is...didnt know you were on a cobalt server hehe....

Nimda wont affect a cobalt heh.

Have you tried deleting *.eml ? :)

Im wondering how they got there in the first place

Yea, I can delete them with no problem since the permissions are nobody nobody 0644. I am slowly getting them out since rm -r *.eml isnt mass deleteing them. Only 2 things could come to mind how anyone could get in would either be a security hole in a php file that I dont know about or some how thru SAMBA on my XP workstation which I think is very unlikely aswell.

Scratching my head still.

ok lets add .nws files to the list of caos now...grrrr:angry:

oh ya, I forgot about those

if you were still removing them try using a bash script to like locate all *.eml then send the results to a txt file then read from the file and rm -rf them. might save you some time. :)

What directory are these files in? Are you sure that someone isn't just uploading them on to the server? Those files are M$ files and not created from any of the worm virii that I am aware of. You might want to make sure that a client isn't trying to back up his system.

IF you want to delete a lot of one particular file you want to use the -f force option so you won't have to answer yes.

So it would be:

rm -f *.eml


I wouldn't use the -rR unless you knew exactly what was below the diretory you were deleting, recursive deleting can cause some big problems if you aren't careful.

Ok, heres the scoop on this, this one has me laughing a bit. Believe it or not it was Nimda. The server was not infected, it was my M$ PC that was infected. NIMDA placed the files in question via SAMBA. It's a wierd one but but figured it out.

That is what I thought, good to hear that your server is safe. Also, I STRONGLY recommend getting samba off/disabled/removed/banished from your production server. Look how much time you lost to something as trivial as this. Imagine if you were hacked/compromised?

hey man dl this program http://www.nstalker.com it will scan your server for holes and let you know if your server has rootable holes and you should consider installing an honeypot if you dont allready got one just incase they try it again it will email you everytime it detects an hack and email you with there isp info and the hackers keystrokes if they typed anything
good luck take care