Many admins will find the temptation to try and save themselves the effort too hard to resist. Especially if they don't really have a "good" backup. But unless you've got logs you're not mentioning, you don't really know what the intruder did or how far he got before the antivirus kicked in. So I'd say format, reload, verify, and harden the box before putting it back on line. David Gillett > -----Original Message----- > From: benat_private [mailto:benat_private] > Sent: July 21, 2003 10:48 > To: incidentsat_private > Subject: First time security issue. > > Sorry if this post seems remedial, but I'm pretty new to > security. Last week out NT4 PDC detected a virus (Pinfi.a) > and put it in quaentine as it should. While cleaning up the > files, I noticed a new folder in the WINNT/System32 > directory: rmtcfg. It was filled with several .exe and batch > scripts. Evindetally, someone got in (with admin privledges) > and tried to setup a IRC server using a IRC.Flood variant. > Luckily, the virus protection kicked in before he could > finish setting up the server. I ran handle.exe, > listdlls.exe, pslist.exe, fport.exe, and netstat as directed > in "Detecting and Removing Trojans and Malicious Code from > Win2K." My question is, since the system was compromised and > system files and the registry have been replaced/added too, > am I just better off formatting the system partition and > restoring from a good backup? Thanks, > -------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 13:42:31 PDT