A client called me at 8:30am yesterday in a panic because they have the Rinbot worm running around in their network. The client is actually a former employer of mine, and they still have much of the same hardware and software when I was there 6 years ago, which means Dell Pentium 3 400Mhz servers and NT 4.0. They kept cleaning up their servers and getting re-infected, so something was getting missed. They have servers spread out between their corporate site and their colocation facility, and the link between the two is a fiber link that has no firewall or any real segmentation at all. So, getting all the servers clean has proven problematic.
The recommended patch for NT to stop Rinbot didn’t work, so I had them temporarily disable the IPC$ share on their important servers, and today we are going to try Determina’s HIPS product to see if we can stop it and identify where it is coming from. We’ll see what happens.
It’s been a while since I have had to fight one of these buggers. It was actually quite refeshing. Something different, and it brought back memories.
Here’s a pretty cool blog post about Rinbot.
Vet
That definitely sucks.
That brings up a minor point I’ve made on my blog that I have earmarked in my head for future discussion: keeping things updated. Running NT4 on 400Mhz Pentiums has its place, but I don’t think it is worth it to any company (other than maybe a dying one) to just maintain status quo while the rest of the world moves on by. New systems get hit with new bugs, go through a period of maturation and stabilization, but then they get outdated and eventually age and should die. Not only that, but eventually tools are harder to come by. Most of what I use today may or may not work on NT4 (I don’t get the chance to try it out much…hehe).
Ahh, hope you win that fight!