Home page logo
/

basics logo Security Basics mailing list archives

RE: computer with rootkit?
From: "Steven Marco \(Modern Compliance Solutions\)" <smarco () moderncompliancesolutions com>
Date: Wed, 28 Sep 2011 17:36:58 -0600

Hi Frank,

I have come to the point of putting in an imaging system and routinely capturing images of user systems or master 
images and portable profile/application data. Then when an issue like this happens restore the clean image from CD or 
network and always have a spare machine for a happy end-user experience.

The ideal is to publish/stream all apps - private or public cloud for database - and try to remove "stickiness" of 
users to specific desktop/laptops.  So just replace or reimage and move on.

Wish is was that easy but once installed something like Altiris Deployment Server/PXE is still an awesome way to image 
bare metal systems.  Or Acronis for smaller image-to-USB systems and library the images on a NAS.  Then there's 
MokaFive taking VDI to the next level.

Sorry if this digresses.  Best luck.

Thanks,

Steven Marco, CISA, ITIL, HP SA
Modern Compliance Solutions
69 S 1200 E
Lindon, Utah 84042
801.770.1199 - Office
801.472.6371 - Cell

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Francois Yang
Sent: Wednesday, September 28, 2011 3:21 PM
To: Predrag Petrovic
Cc: security basics
Subject: Re: computer with rootkit?

thanks everyone for your suggestions.
I did have the infected system connected to a tap with a linux machine capturing the traffic with tcpdump to a file.
Booting to Safemode worked for about 2 min.
when in Safemode the computer only stays up for about 2 min then does a hard shutdown.
I didn't have any issues with leaving the system up for hours in regular mode.
I tried a few of the software recommended and they all came up with either nothing or pointing to the original file I 
found in the C:\windows directory.
I would love to spend more time on this, but I can't spare more time on this.

thanks for all your suggestions.

Frank

On Wed, Sep 28, 2011 at 3:42 PM, Predrag Petrovic <pedjap () gmail com> wrote:
Hi Francois,

Well usually its the best procedure to reinstall the operating system, 
you never know what is modified. But if you want to investigate 
further I would do the following:
- Isolate the computer from rest of the network
- Forward all traffic from infected machine to an IPS/IDS station to 
detect the possible rootkit/worm/trojan
- Perform cold backup of user data (and user data only) on a system 
which has up to date definitions. This requires to detach the hard 
drive from workstation and attach it to a new one which has up to date 
definitions and is not a critical workstation-server in the network.
- Format the drive and install fresh operating system
- Install security patches and antivirus software
- Restore user data

Best regards,

P.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------





------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault