Security Basics mailing list archives
RE: computer with rootkit?
From: "Steven Marco \(Modern Compliance Solutions\)" <smarco () moderncompliancesolutions com>
Date: Wed, 28 Sep 2011 17:36:58 -0600
Hi Frank, I have come to the point of putting in an imaging system and routinely capturing images of user systems or master images and portable profile/application data. Then when an issue like this happens restore the clean image from CD or network and always have a spare machine for a happy end-user experience. The ideal is to publish/stream all apps - private or public cloud for database - and try to remove "stickiness" of users to specific desktop/laptops. So just replace or reimage and move on. Wish is was that easy but once installed something like Altiris Deployment Server/PXE is still an awesome way to image bare metal systems. Or Acronis for smaller image-to-USB systems and library the images on a NAS. Then there's MokaFive taking VDI to the next level. Sorry if this digresses. Best luck. Thanks, Steven Marco, CISA, ITIL, HP SA Modern Compliance Solutions 69 S 1200 E Lindon, Utah 84042 801.770.1199 - Office 801.472.6371 - Cell -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Francois Yang Sent: Wednesday, September 28, 2011 3:21 PM To: Predrag Petrovic Cc: security basics Subject: Re: computer with rootkit? thanks everyone for your suggestions. I did have the infected system connected to a tap with a linux machine capturing the traffic with tcpdump to a file. Booting to Safemode worked for about 2 min. when in Safemode the computer only stays up for about 2 min then does a hard shutdown. I didn't have any issues with leaving the system up for hours in regular mode. I tried a few of the software recommended and they all came up with either nothing or pointing to the original file I found in the C:\windows directory. I would love to spend more time on this, but I can't spare more time on this. thanks for all your suggestions. Frank On Wed, Sep 28, 2011 at 3:42 PM, Predrag Petrovic <pedjap () gmail com> wrote:
Hi Francois, Well usually its the best procedure to reinstall the operating system, you never know what is modified. But if you want to investigate further I would do the following: - Isolate the computer from rest of the network - Forward all traffic from infected machine to an IPS/IDS station to detect the possible rootkit/worm/trojan - Perform cold backup of user data (and user data only) on a system which has up to date definitions. This requires to detach the hard drive from workstation and attach it to a new one which has up to date definitions and is not a critical workstation-server in the network. - Format the drive and install fresh operating system - Install security patches and antivirus software - Restore user data Best regards, P.
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: computer with rootkit?, (continued)
- Re: computer with rootkit? Kurt Buff (Sep 28)
- RE: computer with rootkit? Mikesch, David A (Sep 28)
- Re: RE: computer with rootkit? Adam Pal (Sep 29)
- Message not available
- Re: computer with rootkit? Tyler Johnson (Sep 28)
- Re: computer with rootkit? John Morrison (Sep 28)
- RE: computer with rootkit? Quigley, Joe (Sep 28)
- Re: computer with rootkit? admin lewis (Sep 28)
- Re: computer with rootkit? Matias Katz (Sep 28)
- Re: computer with rootkit? admin lewis (Sep 28)
- Re: computer with rootkit? Predrag Petrovic (Sep 28)
- Re: computer with rootkit? Francois Yang (Sep 28)
- RE: computer with rootkit? Steven Marco (Modern Compliance Solutions) (Sep 29)
- Re: computer with rootkit? Francois Yang (Sep 28)
- Re: computer with rootkit? Jamie Ivanov (Sep 28)
- RE: computer with rootkit? Brian Rogalski (Sep 29)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- Re[2]: computer with rootkit? Adam Pal (Sep 29)
- Re: Re[2]: computer with rootkit? Jamie Ivanov (Sep 29)
- RE: computer with rootkit? Dan Lynch (Sep 29)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- RE: computer with rootkit? Joe DeMarco (Sep 29)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)
- RE: computer with rootkit? Dan Lynch (Sep 30)
- Re: computer with rootkit? Jamie Ivanov (Sep 29)