All in all, what I’ve documented was a bit over three hours worth of attention to the machine (much more for the full scans, but I didn’t have to stand and watch them.) I didn’t document a sidetrip to a second antivirus scanner. It’s nice to see a system cleaned up that had been so thoroughly infected. There are a couple other notes I should pass along though. When a system has been trojaned the BEST advice is to wipe the disc and reinstall from scratch. (Erase/reformate/install from scratch.)
Month: December 2005
-
Network administration over the holidays
Nobody wants to be tied to their job over the holidays, but what if someone has hacked your servers and is using your machine to scam thousands of people a day? Does that keep for two weeks? Does someone monitor the abuse address? Incidents.org has a post on messages they’ve got from some reporting to abuse administrators receiving back vacation notices that things are basically on “autopilot until sometime next year.”
-
Linux php-exploit bot
Incidents.org writes to remind as that bot’s aren’t just for Windows. The recent PHP exploits have seen the use of the “kaiten” bot. After infection on the system it connects to an IRC server. It would primarily target linux systems. They do give a very good way to blunt most Linux bot-style malwares…
-
The 2nd journey begins… Mandriva 2006 upgrade 2 – Part 10
I think it’s time to wrap things up. The KDE start new session option is back after the changes I mentioned to the /etc/kde/kdm/kdmrc file I mentioned in a previous post. There are no outstanding issues from the upgrade. (I need to adjust the font sizes down a bit, but that’s not a big deal.) This series, of course, has been spread out over days. The actual event covered two afternoon’s/evening’s. The first day was the attempted urpmi upgrade (which didn’t go too well.)
-
Category Restructuring
I’ll likely be adding a few more categories to better be able to organize my posts. When I started out with this format, I thought nested categories were a good idea. After seeing them in practice, I’m thinking I may wind up renaming some existing categories so that things maybe will make a bit more sense. Anyway, this is just a “heads up” to let you know that the structure of categories will likely be changing if not this week, after the new year.
-
Network Security guide for the home or small business network – Part 11 – Why?
Alright, so you’re still reading this series and you’re thinking. Look, I’m not protecting national security secrets. All I’m doing is (running a business|emailing my grandkids|using the web for research).
True, good point. You’re not at the defense department. OK. Let’s say you just use your computer for email and web browsing. That’s low priority stuff right? No sensitive information on your PC? Do you ever do banking online? Yes – then you should be concerned… No? You should still be concerned… here’s why…
-
Disinfecting a PC… part 10
Before I get things wrapped up, I like to scan rinse and repeat until the scans come up clean. So, this scan of AVG gives a chance to delete the archive entry I mentioned the first pass it took. And spybot get’s updated from the internet and re-runs. All looks clean there… Ad-aware get’s an update check and runs again. Everything there looks clean now. The next thing to do is disable and uninstall tightvnc, I don’t want to leave bhodemon running at boot or the tea-timer from spybot now that things are fairly settled.
-
Giving the gift of PC security
Brian Krebs at the securityfix has a good article for those that are getting a new pc for Christmas (or those that know someone who is.) He has a nice outline of setting up limited privilege user accounts, installing windows updates, using a firewall and using antivirus. This is a nice concise guide to get a Windows machine tweaked to a fairly secure state.
-
More on the Santa IM worm
There are a couple of stories out about the Santa IM worm, otherwise known as IM.GiftCom.All. First up Sans has some interesting analysis of it. It appears that it’s being hosted at 69.56.129.67, when run it resolves smtp.girlsontheblock.com to 38.118.133.241 and attempts to open tcp port 53. It renames itself as c:\windows\winrpc.exe and sets up shop as “Windows RPC Services”. They’re saying instead of a worm it should be more accurately termed a bot with replicating capabilities, it is reliant on controls from an outside site. (From their analysis I presume the 69. ip address above?)
-
Quicktime and iTunes vulnerabilities
Details of a vulnerability in Apple’s Quicktime and iTunes reported at betanews.com. Secunia also has an advisory. It is listed as moderately critical and affects the current version of both quicktime and itunes on Mac or Windows.