On 4/5/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote: > > Before you do the proper thing and flatten it and reinstall from trusted > sources..ask yourself your real intrusion points.... if the computer was > merely "on", "people" should be able to get on the box without > > a. a backdoor implanted on their first probably by your teenagers > surfing and downloading free software
You should verify this is the way they got in, you can do that by checking their browsing history and reviewing the event log for newly installed applications. Also, if you have the file that is infected, you can check the creation date, then search for other files modified in that time. Verify that your files havent been touched. Scan your critical docs/apps to see what the last accessed time is and compare that to the timestamp on the backdoor. The problem with forensics is that you have to have a plan in hand when you start the investigation. Performing a full scan with symantec will change the last accessed time, and you probably already deleted the backdoor, so it may be really hard to find out what was done to your system. If this is true, you should take only txt files and wipe and reload the machine. Also try NOD32 rather than symantec for AV. It is a lot harder to beat. -JP
