John, While I understand your sentiment, I have to say that I cannot agree with it. > For my money, I would say yes, rebuild it. There > are the files you found > and the intangibles you'll probably never find, like > who and why. What about the "how"? If the original poster (OP) never discovers how the original compromise occurred, then rebuilding the system does nothing but wastes time. Rebuilding and updating the patches may help, but there are great deal of things that patching doesn't protect against, such as misconfigurations and weak passwords. > You may > have a good reason to believe you know what > happened, and you may be > correct (especially if you have before and after md5 > or tripwire hashes), but there are few absolutes. The reason that Windows incident many times seem to have few absolutes can largely be attributed to those who are posting not knowing what to look for, or how to look for it. The OP stated that he'd run some tools based on an article I'd written, but never bothered to post his results or analysis. > I've recently dealt with a windows rootkit > (derived from hacker defender it appears) and can > tell you that you might > not know about everything. If our attacker had been > a little more subtle we > might not have been able to find his/her tracks. As > it was I am still > learning about what happened a month and a half > later(its been a real > learning experience with Windows Rootkits and how to > use forensic tools). Again, this condition may have to do w/ the fact that most Windows admins are busy admin'ing, and don't seem to have the cycles to give to learning what to do when an incident occurs. For example, the OP's incident has little if anything (or it would seem) to do with rootkits. Hacker Defender is a user-mode rootkit...if the process was running with admin privs, then perhaps something else needs to be looked at. Thanks, Harlan __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 14:59:04 PDT