[41513] in Resnet-Forum
Re: Malware Live CD removal anyone?
daemon@ATHENA.MIT.EDU (Hall, Rand)
Fri Jan 13 10:04:03 2017
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=94eb2c11c090cf970a0545f97369
Message-ID: <CANajV=MgEtxtGzNEKQ2DeuSue2of4_ZeEBLpQN03o2vOO9TspA@mail.gmail.com>
Date: Fri, 13 Jan 2017 08:02:35 -0500
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: "Hall, Rand" <hallr@MERRIMACK.EDU>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <CANtPpk586wLZmSmLiu0zB+NnHFr7qJuQi4xTroSMyFAoaiRdMg@mail.gmail.com>
--94eb2c11c090cf970a0545f97369
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Hi Mike,
Go with your true gut and nuke those machines. Use it as the basis for a
few good discussions. Leverage the rebuild pain and you'll come away with
much more than a lab full of machines the *might *be clean.
1) Why is it that we usually nuke machines? (because we can't guaranty
cleanliness)
2) Why is it that we have that opinion for single machines but are willing
to compromise on a whole lab full?
3) What does "cleaning" do for your credibility (on that and other issues)
with all of the people you've been preaching "nuke" to?
4) How'd the image get compromised? (Maybe the most important question)
5) How do we know other images are not compromised?
6) Is the current deployment method still workable or does it need to be
revisited? (thin, layered, virtualized apps, etc)
7) Is all of the software necessary? (not a question that is usually easy
to ask politically but you may be able to get some mercy from fence-sitters
who might say, "Well, I guess I don't need that anymore")
Sounds good in theory, I know! :-)
Hard work. Good luck to you.
Rand
Rand P. Hall
Director, Network Services askIT!
Merrimack College
978-837-3532
rand.hall@merrimack.edu
If I had an hour to save the world, I would spend 55 minutes defining the
problem and five minutes finding solutions. =E2=80=93 Einstein
On Thu, Jan 12, 2017 at 11:36 AM, Mike King <me@mpking.com> wrote:
> So we've just had something happen that hasn't happen in a long time.
>
> We had a lab image have a virus on it, and a very large lab was deployed
> with the image.
>
> Of course, the lab has alot of custom software that was not scripted, but
> hand installed, so the usual answer of Nuke it and rebuild is going to be
> extrememly painful.
>
> We haven't tried to clean boxes in along time, what's is everyone's
> favorite tool set?
>
> (I don't have the exact virus right now)
> ___________________________________________________ You are subscribed to
> the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives, go to
> http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
--94eb2c11c090cf970a0545f97369
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>Hi Mike,</div><div><br></div><div>Go with your true g=
ut and nuke those machines. Use it as the basis for a few good discussions.=
Leverage the rebuild pain and you'll come away with much more than a l=
ab full of machines the <i>might </i>be clean.</div><div><br></div><div>1) =
Why is it that we usually nuke machines? (because we can't guaranty cle=
anliness)</div><div>2) Why is it that we have that opinion for single machi=
nes but are willing to compromise on a whole lab full?</div><div>3) What do=
es "cleaning" do for your credibility (on that and other issues) =
with all of the people you've been preaching "nuke" to?</div>=
<div>4) How'd the image get compromised? (Maybe the most important ques=
tion)</div><div>5) How do we know other images are not compromised?</div><d=
iv>6) Is the current deployment method still workable or does it need to be=
revisited? (thin, layered, virtualized apps, etc)</div><div>7) Is all of t=
he software necessary? (not a question that is usually easy to ask politica=
lly but you may be able to get some mercy from fence-sitters who might say,=
"Well, I guess I don't need that anymore")</div><div><br></d=
iv><div>Sounds good in theory, I know! :-)</div><div><br></div><div>Hard wo=
rk. Good luck to you.</div></div><div class=3D"gmail_extra"><br clear=3D"al=
l"><div><div class=3D"gmail_signature" data-smartmail=3D"gmail_signature"><=
div dir=3D"ltr"><div> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0</div><div>R=
and</div><div>=C2=A0</div><div>Rand P. Hall</div><div>Director, Network Ser=
vices=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0 askIT!</div><div>Merrimack College</div><div>97=
8-837-3532</div><div><a href=3D"mailto:rand.hall@merrimack.edu" target=3D"_=
blank">rand.hall@merrimack.edu</a></div><div><br></div><div><span style=3D"=
color:rgb(85,85,85);font-family:Verdana,'BitStream vera Sans',Helve=
tica,sans-serif;font-size:12px;line-height:17px;background-color:rgb(255,25=
5,255)">If I had an hour to save the world, I would spend 55 minutes defini=
ng the problem and five minutes finding solutions. =E2=80=93 Einstein</span=
>
</div></div></div></div>
<br><div class=3D"gmail_quote">On Thu, Jan 12, 2017 at 11:36 AM, Mike King =
<span dir=3D"ltr"><<a href=3D"mailto:me@mpking.com" target=3D"_blank">me=
@mpking.com</a>></span> wrote:<br><blockquote class=3D"gmail_quote" styl=
e=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div di=
r=3D"ltr">So we've just had something happen that hasn't happen in =
a long time.<div><br></div><div>We had a lab image have a virus on it, and =
a very large lab was deployed with the image. =C2=A0</div><div><br></div><d=
iv>Of course, the lab has alot of custom software that was not scripted, bu=
t hand installed, so the usual answer of Nuke it and rebuild is going to be=
extrememly painful.</div><div><br></div><div>We haven't tried to clean=
boxes in along time, what's is everyone's favorite tool set?</div>=
<div><br>(I don't have the exact virus right now)</div></div>
______________________________<wbr>_____________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_=
blank">http://LISTSERV.ND.EDU/<wbr>archives/resnet-l.html</a>
______________________________<wbr>_____________________
</p></blockquote></div><br></div>
___________________________________________________
You are subscribed to the ResNet-L mailing list.
<p>
To subscribe, unsubscribe or search the archives,
go to <a href=3D"http://LISTSERV.ND.EDU/archives/resnet-l.html" target=3D"_blank">http://LISTSERV.ND.EDU/archives/resnet-l.html</a>
___________________________________________________
--94eb2c11c090cf970a0545f97369--
