Moderator note: Compromised Windows Server thread

[Jesse Gough <jgough () securityfocus com>]

Hello list,

To save us from rehashing what comes up fairly frequently on Incidents, 
I ask that replies to this thread (and future incident response threads 
for that matter) focus specifically on details of the incident in question.

Two clashing schools of thought are, "wipe clean and reinstall from 
known-good sources" and those that oppose this, with the belief that 
proper disinfection is possible. There are plausible theoretical and 
practical arguments for both sides (and personally, I am an advocate of 
the former, which if proper backup/recovery procedures are in place as 
they should be, the expense incurred is relatively minimal), but these 
should not be introduced into every new thread. Perhaps if there is 
enough interest, a thread dedicated to sound incident handling 
procedures could be started.

For general incident response practices, I recommend the recent thread 
(Jan 2006), "REVIEW: Incident Reponse", Douglas Schweitzer", which 
discussed said book and eventually other books and resources as well.

Thanks!

-JG

------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas. 
World renowned security experts reveal tomorrow.s threats today. Free of 
vendor pitches, the Briefings are designed to be pragmatic regardless of your 
security environment. Featuring 36 hands-on training courses and 10 conference 
tracks, networking opportunities with over 2,500 delegates from 40+ nations. 

http://www.blackhat.com
------------------------------------------------------------------------------