lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0309172254030.5567@afybt.areqp.hsy.rqh>
From: jwiens at nersp.nerdc.ufl.edu (Jordan Wiens)
Subject: AW: AMDPatchB & InstallStub

Best practices always dictate a rebuild when a machine has been
compromised.  And there's good reason for those best practices.  You NEVER
know what might have been left behind.  The only way to make sure that all
the nastiness was removed (how easily can you detect a remote control
trojan that only passively monitors inbound icmp packets for command and
control, but never opens and tcp or udp ports and is clever in hiding
itself in the task list?).

Not to sound like the paranoid security person that I know that I am, but
it really is a good idea.  Heck, even microsoft knows it's the best
response even when it's only a worm, let alone a manual compromise:

http://www.microsoft.com/technet/security/virus/bpdcom.asp

-- 
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061

On Thu, 18 Sep 2003, Michael Linke wrote:

> Hello -phlox,
>
> I wrote the message to the list after I removed the process on this machine,
> so it is not more running there. The registry keys are removed by hands so
> the machine is clean since hours.
>
> Now I will write an email to United Colocation to tell them what is running
> on 63.246.134.50...
>
> Regards,
> Michael
>
> _____________________
>
> -----Ursprüngliche Nachricht-----
> Von: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] Im Auftrag von phlox
> Gesendet: Mittwoch, 17. September 2003 22:34
> An: full-disclosure@...ts.netsys.com
> Betreff: Re: [Full-Disclosure] AMDPatchB & InstallStub
>
> We all learn somewhere... that is a IRC server, in which hosts drones.. to
> be used to DDOS other servers, companies, and what not, or be used in other
> manners.. which are probabaly not wanted by you.. so now there is a bot on
> your computer running and connecting to 63.246.134.50. I would contact owner
> of 63.246.134.50, you can check arin.net for that.. get that taken down..
> and then I would remove the bot from your system.. get hackereliminator.. or
> something to remove the registery keys and the process running on your
> system..
>
> -phlox


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ