At 01:47 PM 7/21/03, benat_private wrote: >Sorry if this post seems remedial, but I'm pretty new to security. > >Last week out NT4 PDC detected a virus (Pinfi.a) and put it in quaentine >as it should. While cleaning up the files, I noticed a new folder in the >WINNT/System32 directory: rmtcfg. It was filled with several .exe and >batch scripts. > >Evindetally, someone got in (with admin privledges) and tried to setup a >IRC server using a IRC.Flood variant. Luckily, the virus protection >kicked in before he could finish setting up the server. > >I ran handle.exe, listdlls.exe, pslist.exe, fport.exe, and netstat as >directed in "Detecting and Removing Trojans and Malicious Code from >Win2K." > >My question is, since the system was compromised and system files and the >registry have been replaced/added too, am I just better off formatting >the system partition and restoring from a good backup? Sounds like a plan if you don't want to spend time trying to figure out how they got in. Most folks I work with don't trust a compromised box and start fresh. If you do restore from a backup, your system is still vulnerable to the exploit that got you r00ted in the first place. You better keep up with the patches to the software you're running starting first with the OS. Hope this helps.... -- Joe --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 13:15:49 PDT