RE: First time security issue.

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 07/22/03

  • Next message: Intrusense: "RE: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover" 
    To: <ben@benbailey.net>, <incidents@securityfocus.com>
Date: Tue, 22 Jul 2003 09:01:57 -0700

      Many admins will find the temptation to try and save
    themselves the effort too hard to resist. Especially
    if they don't really have a "good" backup.
      But unless you've got logs you're not mentioning, you
    don't really know what the intruder did or how far he got
    before the antivirus kicked in.

      So I'd say format, reload, verify, and harden the box
    before putting it back on line.

    David Gillett

    > -----Original Message-----
    > From: ben@benbailey.net [mailto:ben@benbailey.net]
    > Sent: July 21, 2003 10:48
    > To: incidents@securityfocus.com
    > Subject: First time security issue.
    >
    > Sorry if this post seems remedial, but I'm pretty new to
    > security. Last week out NT4 PDC detected a virus (Pinfi.a)
    > and put it in quaentine as it should. While cleaning up the
    > files, I noticed a new folder in the WINNT/System32
    > directory: rmtcfg. It was filled with several .exe and batch
    > scripts. Evindetally, someone got in (with admin privledges)
    > and tried to setup a IRC server using a IRC.Flood variant.
    > Luckily, the virus protection kicked in before he could
    > finish setting up the server. I ran handle.exe,
    > listdlls.exe, pslist.exe, fport.exe, and netstat as directed
    > in "Detecting and Removing Trojans and Malicious Code from
    > Win2K." My question is, since the system was compromised and
    > system files and the registry have been replaced/added too,
    > am I just better off formatting the system partition and
    > restoring from a good backup? Thanks,
    > --------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Intrusense: "RE: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"

    Relevant Pages

    • Re: How to restrict DC privileges for Site Admins?
      ... By allowing those admins to log on into to the DCs you're granting them the ... members of backup operators or any other lowlevel group. ... Backups and shutdown/restart the server, create user accounts, well to ... his/her "own" domain controller in order to perform relatively simple ...
      (microsoft.public.windows.server.active_directory)
    • Re: First time security issue.
      ... >batch scripts. ... >IRC server using a IRC.Flood variant. ... >the system partition and restoring from a good backup? ... If you do restore from a backup, ...
      (Incidents)
    • Re: Problem with Files Disappearing
      ... hard drive (even system files). ... he states it is also occurring on his backup external hard drive. ... I'd probably start with my usual list, from scanning for rootkits ... solution, perhaps Panda online virus scan, or Sysclean from Trend. ...
      (alt.sys.pc-clone.dell)
    • Re: Using ASR to recover system files and OS booting
      ... This will still require a full backup of non- ... damaged WINDOWS ONLY system files and registry backups ... can be restored without having to allocate enough disk ... I hit OK and BAM I got a windows system file ...
      (microsoft.public.windowsxp.perform_maintain)
    • Re: Domain Controller backup
      ... I have a question regarding Active Directory backup. ... have to backup System State, System Disk and System Files, there is ... system disk would be C and system files would all be in it. ...
      (microsoft.public.windows.server.general)
    Loading