-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 22 July 2003 5:01 pm, David Gillett wrote: > Many admins will find the temptation to try and save > themselves the effort too hard to resist. Especially > if they don't really have a "good" backup. > But unless you've got logs you're not mentioning, you > don't really know what the intruder did or how far he got > before the antivirus kicked in. > > So I'd say format, reload, verify, and harden the box > before putting it back on line. > > David Gillett > Actually, he cannot do that directly. Take the machine off the network and promote one of your BDCs, (if you have any) to a PDC. If you don't have any BDCs then either you'll have to start a domain from scratch or you'll have to take the risk, build one and sync it with your compromised PDC. Now send out an email to your users and inform them that they will all have to change their passwords. Go to user manager and set all users to "User must change password at next logon". If anyone did gain access to your PDC and were able to read the registry then they could have exported all users passwords hashes to a file and used a tool such as l0phtcrack to begin cracking them. Without third-party, or extended password strength libraries you will normally find that l0phtcrack gets about 75% of all users passwords from their hashes within about 30 seconds on standard desktop hardware. > > -----Original Message----- > > From: benat_private [mailto:benat_private] > > Sent: July 21, 2003 10:48 > > To: incidentsat_private > > Subject: First time security issue. > > > > Sorry if this post seems remedial, but I'm pretty new to > > security. Last week out NT4 PDC detected a virus (Pinfi.a) > > and put it in quaentine as it should. While cleaning up the > > files, I noticed a new folder in the WINNT/System32 > > directory: rmtcfg. It was filled with several .exe and batch > > scripts. Evindetally, someone got in (with admin privledges) > > and tried to setup a IRC server using a IRC.Flood variant. > > Luckily, the virus protection kicked in before he could > > finish setting up the server. I ran handle.exe, > > listdlls.exe, pslist.exe, fport.exe, and netstat as directed > > in "Detecting and Removing Trojans and Malicious Code from > > Win2K." My question is, since the system was compromised and > > system files and the registry have been replaced/added too, > > am I just better off formatting the system partition and > > restoring from a good backup? Thanks, > > -------------------------------------------------------------- > > --------------------------------------------------------------------------- > --------------------------------------------------------------------------- >- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/I8FigSkVLH36ZzoRAkrrAKDkQhS5xq+ZnWMAKQVINot5CejhagCfQU+k VD34uqyXWYzGyCsfYbRN/ew= =YkY7 -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Jul 27 2003 - 11:24:57 PDT