Security Incidents mailing list archives
Re: Rcon trojan
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Mon, 4 Mar 2002 23:16:20 +0100 (CET)
On Mon, 4 Mar 2002, Owen Creger wrote:
It appears one of our NT boxes has been compromised, and is running the rcon trojan, port 8989 Does anyone know how to clean up the mess, or do I need to rebuild the box?
I suggest you follow SOP (Standard Operating Procedures) as if your hardware was lost. - Unplug the machine from any network. - Rebuild the OS from a clean media whiping out all disks. - Reinstall releavant applications. - Install all fixes and harden the box. - Reload data from backup media. - Verify the machine is now resiliant to all known attacks. Only AFTER you complete te last step should you bring the system back to the network. Hugo. -- All email send to me is bound to the rules described on my homepage. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Rcon trojan Owen Creger (Mar 04)
- Re: Rcon trojan Hugo van der Kooij (Mar 04)
- Re: Rcon trojan Tom Gerritsen (Mar 04)
- Re: Rcon trojan H C (Mar 05)
- Re: Rcon trojan H C (Mar 05)