Owen, > It appears one of our NT boxes has been compromised, > and is running the rcon > trojan, port 8989 > Does anyone know how to clean up the mess, or do I > need to rebuild the box? I'm sure you're going to get responses stating that the box should be rebuilt from clean media. In some cases, this may be sound advice. In incident response, it's not always the best advice. I understand you can't be specific about the nature of the box (server/workstation, it's function, etc). However, here are some things to consider: 1. How did you become aware of the trojan? 2. Are you sure that this is Rcon and not some other program configured to use the port? 3. Do you know how the 'compromise' occurred? I ask, b/c I teach an incident response course (http://patriot.net/~carvdawg/ir.html) and the thing I find is that even the most competent MS admin doesn't understand the necessary steps of incident response. Sure, reloading the software from clean media is all well and fine...but if you don't know *how* the compromise occurred, how do you protect against it in the future? Just as food for thought, let's say you just came upon this box. Rcon is a telnet server of sorts, so you might want to get some info about the 'compromise'. Say, a search of recently created files on the system? Or the LastWrite time of the pertinent Registry key (to tie down when the compromise occurred)? Would you be interested in finding out who's connecting to it, if anyone is? I doubt that will work at this point, if the 'bad guy' is monitoring the Incidents list, though. Anyway, rebuilding the system after a compromise *may* be a good idea, particularly if it's a root or Admin or SYSTEM level compromise. However, you may not have to rebuild. Or, if you do, how do you know you're not rebuilding the same holes that allowed the bad guy in in the first place? Finally, cleaning the thing off the system is pretty simple. There are traces of the trojan in the Registry, as well as tools that will do process-to-port mappings for you to show you the .exe files in question. HTH, Carv __________________________________________________ Do You Yahoo!? Yahoo! Sports - sign up for Fantasy Baseball http://sports.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 08:30:53 PST