Full Disclosure mailing list archives
Re: AW: AMDPatchB & InstallStub
From: Jordan Wiens <jwiens () nersp nerdc ufl edu>
Date: Wed, 17 Sep 2003 22:59:56 -0400 (EDT)
Best practices always dictate a rebuild when a machine has been compromised. And there's good reason for those best practices. You NEVER know what might have been left behind. The only way to make sure that all the nastiness was removed (how easily can you detect a remote control trojan that only passively monitors inbound icmp packets for command and control, but never opens and tcp or udp ports and is clever in hiding itself in the task list?). Not to sound like the paranoid security person that I know that I am, but it really is a good idea. Heck, even microsoft knows it's the best response even when it's only a worm, let alone a manual compromise: http://www.microsoft.com/technet/security/virus/bpdcom.asp -- Jordan Wiens, CISSP UF Network Incident Response Team (352)392-2061 On Thu, 18 Sep 2003, Michael Linke wrote:
Hello -phlox, I wrote the message to the list after I removed the process on this machine, so it is not more running there. The registry keys are removed by hands so the machine is clean since hours. Now I will write an email to United Colocation to tell them what is running on 63.246.134.50... Regards, Michael _____________________ -----Urspr?ngliche Nachricht----- Von: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] Im Auftrag von phlox Gesendet: Mittwoch, 17. September 2003 22:34 An: full-disclosure () lists netsys com Betreff: Re: [Full-Disclosure] AMDPatchB & InstallStub We all learn somewhere... that is a IRC server, in which hosts drones.. to be used to DDOS other servers, companies, and what not, or be used in other manners.. which are probabaly not wanted by you.. so now there is a bot on your computer running and connecting to 63.246.134.50. I would contact owner of 63.246.134.50, you can check arin.net for that.. get that taken down.. and then I would remove the bot from your system.. get hackereliminator.. or something to remove the registery keys and the process running on your system.. -phlox
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: openssh remote exploit, (continued)
- Re: openssh remote exploit petard (Sep 16)
- Re: openssh remote exploit Darren Reed (Sep 16)
- Re: openssh remote exploit Blue Boar (Sep 16)
- Re: openssh remote exploit Richard Johnson (Sep 17)
- Re: openssh remote exploit petard (Sep 17)
- Re: openssh remote exploit Shawn McMahon (Sep 17)
- Re: openssh remote exploit Richard Johnson (Sep 17)
- AMDPatchB & InstallStub Michael Linke (Sep 17)
- Re: AMDPatchB & InstallStub phlox (Sep 17)
- AW: AMDPatchB & InstallStub Michael Linke (Sep 17)
- Re: AW: AMDPatchB & InstallStub Jordan Wiens (Sep 17)
- SV: AMDPatchB & InstallStub Peter Kruse (Sep 17)
- AW: AMDPatchB & InstallStub Michael Linke (Sep 17)
- Re: AMDPatchB & InstallStub S G Masood (Sep 17)
- Re: AMDPatchB & InstallStub Chris Ruvolo (Sep 17)
- Re: AMDPatchB & InstallStub S G Masood (Sep 17)