Full Disclosure mailing list archives

Re: AW: AMDPatchB & InstallStub

From: Jordan Wiens <jwiens () nersp nerdc ufl edu>
Date: Wed, 17 Sep 2003 22:59:56 -0400 (EDT)

Best practices always dictate a rebuild when a machine has been
compromised.  And there's good reason for those best practices.  You NEVER
know what might have been left behind.  The only way to make sure that all
the nastiness was removed (how easily can you detect a remote control
trojan that only passively monitors inbound icmp packets for command and
control, but never opens and tcp or udp ports and is clever in hiding
itself in the task list?).

Not to sound like the paranoid security person that I know that I am, but
it really is a good idea.  Heck, even microsoft knows it's the best
response even when it's only a worm, let alone a manual compromise:

http://www.microsoft.com/technet/security/virus/bpdcom.asp

-- 
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061

On Thu, 18 Sep 2003, Michael Linke wrote:

Hello -phlox,

I wrote the message to the list after I removed the process on this machine,
so it is not more running there. The registry keys are removed by hands so
the machine is clean since hours.

Now I will write an email to United Colocation to tell them what is running
on 63.246.134.50...

Regards,
Michael

_____________________

-----Urspr?ngliche Nachricht-----
Von: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] Im Auftrag von phlox
Gesendet: Mittwoch, 17. September 2003 22:34
An: full-disclosure () lists netsys com
Betreff: Re: [Full-Disclosure] AMDPatchB & InstallStub

We all learn somewhere... that is a IRC server, in which hosts drones.. to
be used to DDOS other servers, companies, and what not, or be used in other
manners.. which are probabaly not wanted by you.. so now there is a bot on
your computer running and connecting to 63.246.134.50. I would contact owner
of 63.246.134.50, you can check arin.net for that.. get that taken down..
and then I would remove the bot from your system.. get hackereliminator.. or
something to remove the registery keys and the process running on your
system..

-phlox


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: openssh remote exploit, (continued)
- - - Re: openssh remote exploit petard (Sep 16)
    - Re: openssh remote exploit Darren Reed (Sep 16)
    - Re: openssh remote exploit Blue Boar (Sep 16)
    - Re: openssh remote exploit Richard Johnson (Sep 17)
    - Re: openssh remote exploit petard (Sep 17)
    - Re: openssh remote exploit Shawn McMahon (Sep 17)
    - Re: openssh remote exploit Richard Johnson (Sep 17)
    - AMDPatchB & InstallStub Michael Linke (Sep 17)
    - Re: AMDPatchB & InstallStub phlox (Sep 17)
    - AW: AMDPatchB & InstallStub Michael Linke (Sep 17)
    - Re: AW: AMDPatchB & InstallStub Jordan Wiens (Sep 17)
    - SV: AMDPatchB & InstallStub Peter Kruse (Sep 17)
    - AW: AMDPatchB & InstallStub Michael Linke (Sep 17)
    - Re: AMDPatchB & InstallStub S G Masood (Sep 17)
    - Re: AMDPatchB & InstallStub Chris Ruvolo (Sep 17)
    - Re: AMDPatchB & InstallStub S G Masood (Sep 17)