Re: First time security issue.

From: John Ives (jivesat_private)
Date: Tue Jul 22 2003 - 09:25:00 PDT

Next message: Simon Gray: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"

Previous message: Curt Purdy: "RE: [Full-Disclosure] Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
In reply to: benat_private: "First time security issue."
Next in thread: Harlan Carvey: "Re: First time security issue."
Next in thread: Harlan Carvey: "Re: First time security issue."
Reply: Harlan Carvey: "Re: First time security issue."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

For my money, I would say yes, rebuild it.  There are the files you found 
and the intangibles you'll probably never find, like who and why.  You may 
have a good reason to believe you know what happened, and you may be 
correct (especially if you have before and after md5 or tripwire hashes), 
but there are few absolutes. I've recently dealt with a windows rootkit 
(derived from hacker defender it appears) and can tell you that you might 
not know about everything. If our attacker had been a little more subtle we 
might not have been able to find his/her tracks.  As it was I am still 
learning about what happened  a month and a half later(its been a real 
learning experience with Windows Rootkits and how to use forensic tools).

Yours,

John

At 05:47 PM 7/21/2003 +0000, benat_private wrote:

>Sorry if this post seems remedial, but I'm pretty new to security.
>
>Last week out NT4 PDC detected a virus (Pinfi.a) and put it in quaentine
>as it should. While cleaning up the files, I noticed a new folder in the
>WINNT/System32 directory: rmtcfg. It was filled with several .exe and
>batch scripts.
>
>Evindetally, someone got in (with admin privledges) and tried to setup a
>IRC server using a IRC.Flood variant. Luckily, the virus protection
>kicked in before he could finish setting up the server.
>
>I ran handle.exe, listdlls.exe, pslist.exe, fport.exe, and netstat as
>directed in "Detecting and Removing Trojans and Malicious Code from
>Win2K."
>
>My question is, since the system was compromised and system files and the
>registry have been replaced/added too, am I just better off formatting
>the system partition and restoring from a good backup?
>
>Thanks,
>
>
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------

-------------------------------------------------
John Ives, GCWN, GSEC
Systems Administrator
College of Chemistry
(510) 643-1033

"If you spend more on coffee than on IT security,  Then you will be hacked. 
What's more,  you deserve to be hacked."   - Richard Clarke

Any opinions expressed are my own and not those of the Regents of the 
University of California. 

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Simon Gray: "Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
Previous message: Curt Purdy: "RE: [Full-Disclosure] Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recover"
In reply to: benat_private: "First time security issue."
Next in thread: Harlan Carvey: "Re: First time security issue."
Next in thread: Harlan Carvey: "Re: First time security issue."
Reply: Harlan Carvey: "Re: First time security issue."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 13:26:39 PDT