November 28th, 2004, 04:06 PM
I wouldn't. I'd want to find out HOW this happened first before doing a format/re-install. Otherwise the hole still exists. And wiping may not be a solution if sensitive data is on there (and no backup or recent backup has been made). A definate task after whatever has been dealt with (access retrieved) would be to determine how this happened and prevented it from happening again (appropriate patches, upgrades, disabling floppy/CDRom, locking USB, restricting access to server/server room, etc.)
.. if I had a machine that had been that seriously compromised I would want to do a format and re-install.
It is wise, however, to get permission to do this activity in writing from the boss (this would be a CYA).
November 28th, 2004, 04:18 PM
well the hole could have been just leaving some one alone with the comp i mean they could have used a boot disk or even have booted off a usb stick which is even easer to hide then a cd then once they copied the sams and they syskey they may have just done what they needed. it would not be a hard thing to do but i would reformate it after you got what you need off of it because mmore then likely if they wanted somthing off of their or if they just wanted to piss or keep pising people off their is a backdoor.
November 28th, 2004, 04:37 PM
My comments partly related to my own environment, which is physically secure..................
So here is a typical "conference room box" that is not secure, and is used for "morning messages" which I have assumed to be non-sensitive. After all if you had a machine with sensitive data on it that had been compromised, would you advertise the fact on AO?
However, because of previous [physical and password security] problems the admin account's password has been changed by some one who has not come forward. Formatting is out of the question...
Not very high security I guess. In my experience, these are the boxes are the most easily compromised.
Now, there is a big difference betweeen what you do on your own equipment, and what you do when you are going to submit a bill for your time? I guess that is what I was alluding to?
I would clean it and secure it, because I would not have sufficient information to perform a meaningful forensic analysis (and would not be paid, anyways )
We agree entirely on updating and locking down (and CYA ...........I liked that one, not noticed it before!)
My only difference is that which I could reasonably expect to charge for
November 28th, 2004, 05:31 PM
A good security admin. should never relent. Fight back, push the hacker out of your sys.,
I would never format the hard disk, I will find out the password change it, trace all the rootkits or trojans or worms, identify the hacker, defeat him.
mr.Nhili Never relent.
November 28th, 2004, 06:36 PM
i am guessing that this is not a server client network this comp is on. so tracing all the rootkits would be good if they uesed any because i am guessing that they did not come in through the internet but had physical access so a rootkit would not be needed he could do it manualy because if he didn't enter from the internet their would be no roughter logs or incomming connection logs. rember this is a school many students love to try and do this kind of stuff to say they beat the system which the haven't but SK's dont know that.
A good security admin. should never relent. Fight back, push the hacker out of your sys.I would never format the hard disk, I will find out the password change it, trace all the rootkits or trojans or worms, identify the hacker, defeat him.