Re: Rcon trojan
From: Hugo van der Kooij (hvdkooij@vanderkooij.org)Date: 03/04/02
- Previous message: Hugo van der Kooij: "Re: FYI - slow scans for https..."
- In reply to: Owen Creger: "Rcon trojan"
- Next in thread: Tom Gerritsen: "Re: Rcon trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 4 Mar 2002 23:16:20 +0100 (CET) From: Hugo van der Kooij <hvdkooij@vanderkooij.org> To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>
On Mon, 4 Mar 2002, Owen Creger wrote:
> It appears one of our NT boxes has been compromised, and is running the rcon
> trojan, port 8989
> Does anyone know how to clean up the mess, or do I need to rebuild the box?
I suggest you follow SOP (Standard Operating Procedures) as if your
hardware was lost.
- Unplug the machine from any network.
- Rebuild the OS from a clean media whiping out all disks.
- Reinstall releavant applications.
- Install all fixes and harden the box.
- Reload data from backup media.
- Verify the machine is now resiliant to all known attacks.
Only AFTER you complete te last step should you bring the system back to
the network.
Hugo.
--
All email send to me is bound to the rules described on my homepage.
hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Hugo van der Kooij: "Re: FYI - slow scans for https..."
- In reply to: Owen Creger: "Rcon trojan"
- Next in thread: Tom Gerritsen: "Re: Rcon trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
