Some other things.... From Symantec's description, Pinfi is a network aware worm, so if someone with adequate privileges go infected, it would have dropped itself there. You have to look at virus detections in unexpected places (and certainly your PDC would be such), as a clue you've got a problem elsewhere, and here it seems clear that you've got another infected box used by someone with serious privileges, or you've got bad practices being done by people who have direct access to the box in question. I would think that whether or not your PD is internet facing (and that depends largely on your firewall configs), should guide you on finding how the incursion occurred. Same deal with the Mirc channel trojan dropper. McAfee describes it as this: http://vil.nai.com/vil/content/v_100427.htm. The latter is more than a little troubling, and maybe it was used to introduce the former, but I really wouldn't rule out very bad practices. The critical question is whether Pinfi was detected by real time or scheduled scanning. If the latter, and if (and it seems it must have been) been executed with Domain Admin privileges, then you've got to do a sweep as its probably sitting silently on all your servers (and perhaps all your workstations, depending on your config)> T It's also troubling that you had a Pinfi detection at all, it is not prevalent. -----Original Message----- From: Giles Coochey [mailto:gilesat_private] Sent: Sunday, July 27, 2003 8:11 AM To: gillettdavidat_private; benat_private; incidentsat_private Subject: Re: First time security issue. ********************************************************************** This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately. *********************************************************************** -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 22 July 2003 5:01 pm, David Gillett wrote: > Many admins will find the temptation to try and save themselves the > effort too hard to resist. Especially if they don't really have a > "good" backup. > But unless you've got logs you're not mentioning, you > don't really know what the intruder did or how far he got before the > antivirus kicked in. > > So I'd say format, reload, verify, and harden the box before putting > it back on line. > > David Gillett > Actually, he cannot do that directly. Take the machine off the network and promote one of your BDCs, (if you have any) to a PDC. If you don't have any BDCs then either you'll have to start a domain from scratch or you'll have to take the risk, build one and sync it with your compromised PDC. Now send out an email to your users and inform them that they will all have to change their passwords. Go to user manager and set all users to "User must change password at next logon". If anyone did gain access to your PDC and were able to read the registry then they could have exported all users passwords hashes to a file and used a tool such as l0phtcrack to begin cracking them. Without third-party, or extended password strength libraries you will normally find that l0phtcrack gets about 75% of all users passwords from their hashes within about 30 seconds on standard desktop hardware. > > -----Original Message----- > > From: benat_private [mailto:benat_private] > > Sent: July 21, 2003 10:48 > > To: incidentsat_private > > Subject: First time security issue. > > > > Sorry if this post seems remedial, but I'm pretty new to security. > > Last week out NT4 PDC detected a virus (Pinfi.a) and put it in > > quaentine as it should. While cleaning up the files, I noticed a > > new folder in the WINNT/System32 > > directory: rmtcfg. It was filled with several .exe and batch > > scripts. Evindetally, someone got in (with admin privledges) and > > tried to setup a IRC server using a IRC.Flood variant. Luckily, the > > virus protection kicked in before he could finish setting up the > > server. I ran handle.exe, listdlls.exe, pslist.exe, fport.exe, and > > netstat as directed in "Detecting and Removing Trojans and > > Malicious Code from Win2K." My question is, since the system was > > compromised and system files and the registry have been > > replaced/added too, am I just better off formatting the system > > partition and restoring from a good backup? Thanks, > > -------------------------------------------------------------- > > >----------------------------------------------------------------------- ---- > ------------------------------------------------------------------------ --- >- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE/I8FigSkVLH36ZzoRAkrrAKDkQhS5xq+ZnWMAKQVINot5CejhagCfQU+k VD34uqyXWYzGyCsfYbRN/ew= =YkY7 -----END PGP SIGNATURE----- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ********************************************************************** This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately. *********************************************************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 10:06:17 PDT