[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0309172254030.5567@afybt.areqp.hsy.rqh>
From: jwiens at nersp.nerdc.ufl.edu (Jordan Wiens)
Subject: AW: AMDPatchB & InstallStub
Best practices always dictate a rebuild when a machine has been
compromised. And there's good reason for those best practices. You NEVER
know what might have been left behind. The only way to make sure that all
the nastiness was removed (how easily can you detect a remote control
trojan that only passively monitors inbound icmp packets for command and
control, but never opens and tcp or udp ports and is clever in hiding
itself in the task list?).
Not to sound like the paranoid security person that I know that I am, but
it really is a good idea. Heck, even microsoft knows it's the best
response even when it's only a worm, let alone a manual compromise:
http://www.microsoft.com/technet/security/virus/bpdcom.asp
--
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061
On Thu, 18 Sep 2003, Michael Linke wrote:
> Hello -phlox,
>
> I wrote the message to the list after I removed the process on this machine,
> so it is not more running there. The registry keys are removed by hands so
> the machine is clean since hours.
>
> Now I will write an email to United Colocation to tell them what is running
> on 63.246.134.50...
>
> Regards,
> Michael
>
> _____________________
>
> -----Ursprüngliche Nachricht-----
> Von: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] Im Auftrag von phlox
> Gesendet: Mittwoch, 17. September 2003 22:34
> An: full-disclosure@...ts.netsys.com
> Betreff: Re: [Full-Disclosure] AMDPatchB & InstallStub
>
> We all learn somewhere... that is a IRC server, in which hosts drones.. to
> be used to DDOS other servers, companies, and what not, or be used in other
> manners.. which are probabaly not wanted by you.. so now there is a bot on
> your computer running and connecting to 63.246.134.50. I would contact owner
> of 63.246.134.50, you can check arin.net for that.. get that taken down..
> and then I would remove the bot from your system.. get hackereliminator.. or
> something to remove the registery keys and the process running on your
> system..
>
> -phlox
Powered by blists - more mailing lists