December 3rd, 2003, 10:20 PM
Identifying IRC BOT
If the machine was found with IRC bot, how can I check the integrity of the machine to make sure that further compromised was not done? I have checked the logs and other events, but stuck now. Also besides DCC transfer, what are other ways that IRC bot can be dropped to the target?
December 3rd, 2003, 10:31 PM
If you didn't have an md5 checksum of all files before, you probably can't do much. There is a standard database of md5 hashes, but I can't remember where the blazes they were.
Standard wisdom (if you can call it that) is there is virtually no way you can guarantee that you found everything. Best suggestion is complete rofrmat.
There are programs such as Tripwire that can do integrity checks for you (you have to do a little searching for the free versions) But they are only going to help you if you are prepared ahead of time.
As far as methods of infection, I'll have to defer to someone with more knowledge than I have.