Ben, > Last week out NT4 PDC detected a virus (Pinfi.a) and > put it in quaentine > as it should. While cleaning up the files, I noticed > a new folder in the > WINNT/System32 directory: rmtcfg. It was filled with > several .exe and batch scripts. Ques: How do you know that this directory is "new"? Are you saying this b/c you hadn't seen it recently, or b/c of the MAC times associated with the directory and files? > Evindetally, someone got in (with admin privledges) > and tried to setup a > IRC server using a IRC.Flood variant. Luckily, the > virus protection > kicked in before he could finish setting up the > server. Ques: How do you know they got in w/ Admin privileges? Also, you started off by saying that you were looking into a Pinfi.a infection...how do you know that this installation of IRC.flood was halted? Did you find information to that effect, as a result of the anti-virus? > I ran handle.exe, listdlls.exe, pslist.exe, > fport.exe, and netstat as > directed in "Detecting and Removing Trojans and > Malicious Code from Win2K." Someone actually read that?!?! Wow! What did you find out about the system after running the tools? Was the process for the IRC.flood application running? > My question is, since the system was compromised and > system files and the > registry have been replaced/added too, am I just > better off formatting > the system partition and restoring from a good > backup? The problem with reinstalling from clean media at this point, and reloading from back up is that you don't know how the intruder got in. You haven't done a Root Cause Analysis to determine how someone was allegedly able to gain Admin-level access to your system, and reinstalling is likely to leave that same hole (and others) open. You'll simply be facing another compromise. Also, since there's been no mention of the dates involved, you may have made a backup after your system was compromised, which means that reloading the data onto a "clean" system could be reloading the IRC.flood files, as well. Also, what system files, in particular, have been replaced? I know that this is an NT4 system, which doesn't have WFP, but when you say that system files have been replaced, what are you referring to? My thinking is that based on the information you've provided, you've got an incomplete compromise. Of course, more information would be required, particularly regarding the running processes, and exactly how the compromise occurred, but you may be able to simply clean up the system, bring the patches up to par, lock it down a bit, and be back on your way. Hope that helps. If you have any questions, drop me a line... Harlan __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 13:40:32 PDT