Best practices always dictate a rebuild when a machine has been compromised. And there's good reason for those best practices. You NEVER know what might have been left behind. The only way to make sure that all the nastiness was removed (how easily can you detect a remote control trojan that only passively monitors inbound icmp packets for command and control, but never opens and tcp or udp ports and is clever in hiding itself in the task list?).
Not to sound like the paranoid security person that I know that I am, but it really is a good idea. Heck, even microsoft knows it's the best response even when it's only a worm, let alone a manual compromise: http://www.microsoft.com/technet/security/virus/bpdcom.asp -- Jordan Wiens, CISSP UF Network Incident Response Team (352)392-2061 On Thu, 18 Sep 2003, Michael Linke wrote: > Hello -phlox, > > I wrote the message to the list after I removed the process on this machine, > so it is not more running there. The registry keys are removed by hands so > the machine is clean since hours. > > Now I will write an email to United Colocation to tell them what is running > on 63.246.134.50... > > Regards, > Michael > > _____________________ > > -----Urspr�ngliche Nachricht----- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im Auftrag von phlox > Gesendet: Mittwoch, 17. September 2003 22:34 > An: [EMAIL PROTECTED] > Betreff: Re: [Full-Disclosure] AMDPatchB & InstallStub > > We all learn somewhere... that is a IRC server, in which hosts drones.. to > be used to DDOS other servers, companies, and what not, or be used in other > manners.. which are probabaly not wanted by you.. so now there is a bot on > your computer running and connecting to 63.246.134.50. I would contact owner > of 63.246.134.50, you can check arin.net for that.. get that taken down.. > and then I would remove the bot from your system.. get hackereliminator.. or > something to remove the registery keys and the process running on your > system.. > > -phlox _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
