Security Incidents mailing list archives

Re: Rcon trojan

From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Mon, 4 Mar 2002 23:16:20 +0100 (CET)

On Mon, 4 Mar 2002, Owen Creger wrote:

It appears one of our NT boxes has been compromised, and is running the rcon
trojan, port 8989
Does anyone know how to clean up the mess, or do I need to rebuild the box?


I suggest you follow SOP (Standard Operating Procedures) as if your 
hardware was lost.

 - Unplug the machine from any network.
 - Rebuild the OS from a clean media whiping out all disks.
 - Reinstall releavant applications.
 - Install all fixes and harden the box.
 - Reload data from backup media.
 - Verify the machine is now resiliant to all known attacks.

Only AFTER you complete te last step should you bring the system back to 
the network.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Rcon trojan Owen Creger (Mar 04)
- Re: Rcon trojan Hugo van der Kooij (Mar 04)
- Re: Rcon trojan Tom Gerritsen (Mar 04)
  - Re: Rcon trojan H C (Mar 05)
- Re: Rcon trojan H C (Mar 05)