On Mon, 4 Mar 2002, Owen Creger wrote: > It appears one of our NT boxes has been compromised, and is running the rcon > trojan, port 8989 > Does anyone know how to clean up the mess, or do I need to rebuild the box? I suggest you follow SOP (Standard Operating Procedures) as if your hardware was lost. - Unplug the machine from any network. - Rebuild the OS from a clean media whiping out all disks. - Reinstall releavant applications. - Install all fixes and harden the box. - Reload data from backup media. - Verify the machine is now resiliant to all known attacks. Only AFTER you complete te last step should you bring the system back to the network. Hugo. -- All email send to me is bound to the rules described on my homepage. hvdkooijat_private http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Mar 04 2002 - 16:18:30 PST