Re: Win2003 Server, IPSEC & HackerDefender

["Berbeco, Robert W" <rberbeco () IUPUI EDU>]

Hackerdefender can be removed remotely. Hiding itself from remote viewing
tends to be its weakness and it runs as a service.

I have successfully removed it from multiple systems and have also used GPOs
to disable Hackdefender. However, I agree that ultimately the system(s)
should be rebuilt as others have mentioned.

Bob Berbeco, M.S., MCSE, GSEC
Manager of Network Services and Security
IU Department of Medicine
575 West Drive, XE 010F
Indianapolis, Indiana 46202-5205
(317) 278-1098
(317) 312-2497 (pager)
(317) 274-7499 (fax)
rberbeco () iupui edu

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Weeks, Calvin W.
Sent: Tuesday, August 10, 2004 11:41 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Win2003 Server, IPSEC & HackerDefender

I would agree. Wipe the drive and start all over and change all passwords
associated with the infected machine(s). This has been the only way that we
have been able to remove H.D. Rootkit.
For the IPSEC configurations we use the NSA guides and if sample
configurations are needed please, request to me at cweeks () ou edu. We have
samples for most services.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~Calvin Weeks, (CISSP), CISM, EnCE
~Director, OU Cyber Forensics Lab
~University of Oklahoma
~http://security.ou.edu


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: smime.p7s
Description: