> -----Original Message----- > From: Harlan Carvey [mailto:keydet89at_private] > Sent: Wednesday, 23 July 2003 8:56 a.m. > To: incidentsat_private > Subject: Re: First time security issue. > > What about the "how"? If the original poster (OP) > never discovers how the original compromise occurred, > then rebuilding the system does nothing but wastes > time. Rebuilding and updating the patches may help, > but there are great deal of things that patching > doesn't protect against, such as misconfigurations and > weak passwords. I'd agree with Harlan here. However, the process itself depends upon the business needs in front of the OP. In any case, my suggestion would be to reinstall the system and apply all patches on it. Also, before this, OP should make a HDD image copy so he can do forensics on it and eventually find out what happened with it. According to what the OP wrote, and as Harlan said as well, I doubt this is related to any Windows NT rootkit. Most of the cases I had experience with, and which had ServU/IRC-bot being setup, are related to script kiddies which just want to collect more machines and use public well-known exploits (or weak passwords etc.). Best regards, Bojan Zdrnja --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 23 2003 - 09:52:09 PDT