> Sorry if this post seems remedial, but I'm pretty new to security. > > Last week out NT4 PDC detected a virus (Pinfi.a) and put it in quaentine > as it should. While cleaning up the files, I noticed a new folder in the > WINNT/System32 directory: rmtcfg. It was filled with several .exe and > batch scripts. > > Evindetally, someone got in (with admin privledges) and tried to setup a > IRC server using a IRC.Flood variant. Luckily, the virus protection > kicked in before he could finish setting up the server. > > I ran handle.exe, listdlls.exe, pslist.exe, fport.exe, and netstat as > directed in "Detecting and Removing Trojans and Malicious Code from > Win2K." > > My question is, since the system was compromised and system files and the > registry have been replaced/added too, am I just better off formatting > the system partition and restoring from a good backup? In a word: Yes. Many people suggest reformatting after any compromise in security. In the world of my day job, that is sometimes not feasible. (Time-sensitive issues.) If you are unable to determine precisely what an attacker did and how they got in, your best bet is to reformat. If you can determine exactly and precisely what they have done (sometimes a hard task on unix systems and I imagine near impossible on some Windows installations), you can cleanse the system of their taint, restore any modified binaries, and go back to running like usual once you patch the hole. Since it seems like you are unable to determine exactly what they changed or the breadth of the modification is so great, I would suggest a reformat. Backup any user data you may need and hope you have a recent backup of the registry from before the compromise. Good luck. Sincerely, Chris Ess System Administrator / CDTT (Certified Duct Tape Technician) --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 13:50:38 PDT