On Mon, 4 Mar 2002, Owen Creger wrote:
> It appears one of our NT boxes has been compromised, and is running the rcon
> trojan, port 8989
> Does anyone know how to clean up the mess, or do I need to rebuild the box?
I suggest you follow SOP (Standard Operating Procedures) as if your
hardware was lost.
- Unplug the machine from any network.
- Rebuild the OS from a clean media whiping out all disks.
- Reinstall releavant applications.
- Install all fixes and harden the box.
- Reload data from backup media.
- Verify the machine is now resiliant to all known attacks.
Only AFTER you complete te last step should you bring the system back to
the network.
Hugo.
--
All email send to me is bound to the rules described on my homepage.
hvdkooijat_private http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Mar 04 2002 - 16:18:30 PST