Thanks that is awesome advice I am starting thereand running ossim and trying to analyze ya I could use 2 more people for sure but thanks everyone again the advice given is invaluable keep any ideas coming I will be trying a lot of things and hopefully can post what works and my experience to help others . TR
On Sep 2, 2010 3:08 PM, "Chris Keladis" <[email protected]> wrote: > On Fri, Sep 3, 2010 at 5:24 AM, Tyler Robinson <[email protected]> wrote: > > Hey Tyler, > >> Thanks everyone for all the ideas the enviroment has about 350 machines at >> least all on flat domain can't vlan due to stupid software configurations. I >> have several systems that have to be live all the time (911 systems) and >> vmware esx servers in cluster. Any other suggestions is again so much >> appreciated I am willing to try just about anything right now I have a lot >> of angry users right now due to network performace ( for there facebooking I >> am sure) wanting this fixed and the sheriffs department has its busiest week >> of the year starting sat so please no idea will not be tried. > > Ouch! Sounds like you need more hands and eyes on the problem :) > > The only thing i can think of, bar running around to 350 PCs is maybe > sample a few to understand what malware you've got going on. > > Make use of Microsoft's (ex-Sysinternals) tools to investigate. > AutoRuns, ProcExp, etc etc. > > One handy tip when using ProcExp, dont "kill" malicious processes, > rather, "pause" or "freeze" them. Most malware these days have SIGKILL > handlers to spawn their cousins when their killed and you end up with > more problems. > > Once you understand what you've got going on you can perhaps download > a removal tool and make everyone run it. > > Also keep in mind sensitive information may have been leaked by the > malware, so once you have a handle on the situation, change ALL > passwords, and follow up on anything important that might have leaked > out of the organization (this may have ramifications down the track). > > Most malware infections these days aren't one-off's (they use > droppers, stagers, load root-kits and other add-ons) so you can try to > control the primary infection on the LAN, but at some point manual > review will be needed as well, eg, booting off a USB key/CD and > checking for rootkits etc etc.. > > Also tell people to stop using any form of removable media to avoid > the (re)spread in or out of the organization, until you get a handle > on the situation. > > Maybe you can script something and use Sysinternals tools like > "pslist" to copy a process list to a share you can then analyze > further? Maybe setup a job via the RunOnce reg-key or Scheduler and > ask everyone to reboot (RunOnce) or wait (Scheduler), so you at least > get a peak into the processes running and can make a plan of attack. > > Hope i've given you some practical advice, unfortunately since the > previous admin hadnt set up controls to mitigate you face a very > difficult task. > > But, this disaster may give you the ammunition you need to make improvements! :) > > > Cheers, > > Chris. > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
