Curated by: Luigi Canali De Rossi

Friday, November 12, 2004

How To Clean A Compromised, Corrupted, Infected Or Hacked-Into Computer System: Wipe It Clean?

"A healthy infusion of paranoia tends to be remarkably useful when protecting networks. One of the worst mistakes a security administrator can make is to assume everything is OK."

You all know well that the possibility of a hacker intruding in your organization system have not sharply decreased in recent times. As major and highly secure information systems (like the ones of banks or military units) have been broken into you should expect that the possibility of such an unfortunate event is not too far or remote for anyone.

The Pentagon itself has gone out in the past to find some good hackers to defend itself.

Be aware that your IT departments that your own network is secure are all to be verified. Often, saying that the network is secure only means that your IT administrator hasn't been able to break into your system; but that doesn't mean someone else couldn't.

So, given such possibility its due credit, would you prepared to handle the aftermath of such an event?

If a nice group of hackers broke into your company servers and information systems overnight, would you be prepared to take specific actions upon discovery?

Jesper Johansson, who is a MIS Ph.D. and a Security Program Manager with Microsoft, has recently written a very interesting article on "How A Criminal Might Infiltrate Your Network".

The article provides lots of useful strategic information that can allow you a better understanding of the strategy and logic behind most online attacks.

"One of the great mysteries in security management is the modus operandi of criminal hackers. If you don't know how they can attack you, how can you protect yourself from them?"

His illustrated report is all about increasing awareness of how to protect yourself by first understanding how online criminals operate by taking advantage of your own mistakes and overlooks.

What do you do then upon discovery that your network and servers have been hacked?



1) You cannot clean a system by using the most recent backup.
You may not be able to trust your latest backup. It may be a backup that includes all the backdoors currently on the system.

2) You cannot clean a compromised system by patching it.
patching only removes the vulnerability. Once an attacker gets into your system, you should assume that he or she has ensured there are several other ways to get back in.

3) You cannot clean a compromised system by removing the backdoors.
You can never guarantee that you found all the backdoors the attacker put in. The fact that you cannot find any more may only mean you do not know where to look, or that the system is so compromised that what you are seeing is not actually what is there.

4) You cannot clean a compromised system by using some "vulnerability remover."
Let's say your system was hit by Blaster. A number of vendors (including Microsoft) published vulnerability removers for Blaster. Can you trust a system that had Blaster after the tool is run? I wouldn't. If the system was vulnerable to Blaster, it was also vulnerable to a number of other attacks. Can you guarantee that none of those have been run against it? I didn't think so.

5) You cannot clean a compromised system by using a virus scanner.
A fully compromised system cannot be trusted to tell you the truth. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it. If you can guarantee that the only thing that compromised the system was a particular virus or worm and you know that this virus has no backdoors associated with it, and the vulnerability used by the virus was not available remotely, then a virus scanner can be used to clean the system."

But there is definitely quite a bit more to it, and Jesper, has really nailed this down to the last bit for you in the sidebar box that appears at the bottom of his essay.

His final recommendation remains unchanged:

"The only proper way to clean a compromised system is to flatten and rebuild it."

In simple words, what Jesper recommends is to completely wipe the system clean and rebuild it from scratch.

In his view this is a much better way to go about it than any of the solutions listed above.

Do you agree?

See also: "The Day After: Your First Response To A Security Breach"
by Kelly J. Cooper

Jesper Johansson -
Reference: [via Steven Bink] [ Read more ]
Readers' Comments    
2006-01-13 11:33:12


I totally agree, I think that computer security is a huge issue, millions of people have absolutely no idea that there computer is being exploited for spamming, phishing, DDOS attacks etc. and put there faith in unbelievably weak, rubbish products (Norton I hate you ;-) ). Clean install is not that difficult if you are well organised, back up your files etc. I must say that I am really looking into the idea of using a program like Ghost next time (Norton grrr!).

posted by Robin Good on Friday, November 12 2004, updated on Tuesday, May 5 2015

Creative Commons License
This work is licensed under a Creative Commons License.




Real Time Web Analytics