malware infected co...
 
Notifications
Clear all

malware infected containment and recovery

5 Posts
3 Users
0 Likes
510 Views
(@afsfr)
Posts: 37
Eminent Member
Topic starter
 

we have malware infected server, now we can't containment it because business want the real time data feeding for financial transactions and must be 24*7 online, what should we suggest to the business?

we have another file server infected by rootkit on Dec.3, after we reimage the system, we recover data from tape backed up on Dec.2. business suggest we recover data until Dec.4 (when the system crashed by hacker), can we recover from Dec.4 tape?

 
Posted : 10/12/2019 3:33 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

we have malware infected server

Identify the malicious processes and kill them manually. Then look for persistence mechanisms. Try to identify the malware and use antivirus.

we have another file server infected by rootkit on Dec.3…. can we recover from Dec.4 tape?

Nobody knows that. Identify the rootkit and then verify if you backed up a compromised server or not. If the backup is compromised, too, than take an older backup. And one more thing secure your network. Servers getting infected with Spaghetti or malware are always a sign for weak security. Good luck.

regards, Robin

 
Posted : 10/12/2019 7:52 am
(@afsfr)
Posts: 37
Eminent Member
Topic starter
 

we have malware infected server

Identify the malicious processes and kill them manually. Then look for persistence mechanisms. Try to identify the malware and use antivirus.

+++++++++++++
Re we try before, but the malicious process id not able to be killed, that malicious process lock the most system process, and host based anti virus software process are terminated by malware. Linux said not able to kill that process id, so the live system is with virus, so if we take it offline, business will not accept, if we keep it online. we are not able to bring it to healthy situation

we have another file server infected by rootkit on Dec.3…. can we recover from Dec.4 tape?

Nobody knows that. Identify the rootkit and then verify if you backed up a compromised server or not. If the backup is compromised, too, than take an older backup. And one more thing secure your network. Servers getting infected with Spaghetti or malware are always a sign for weak security. Good luck.

regards, Robin

++++++++++++++
Re Thanks.

 
Posted : 10/12/2019 8:33 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

the malicious process id not able to be killed, that malicious process lock the most system process, and host based anti virus software process are terminated by malware. Linux said not able to kill that process id,

Then you have to take the server offline, simply as that. Go in runlevel 1 with the linux box and clean it as god as you can. Business needs that pain in the back to open the purse. If you sacrifice your night, weekend and X-mas perhaps, situation will not change. Do not forget that any infection is basically the loss of control and authority over the server. It does not belong to you any longer, which opens a door for ransomware (yes, even on Linux) or a lateral infection of other systems. If huge parts of your endpoints are encrypted, no work is possible for days or weeks.

Good luck.

 
Posted : 10/12/2019 9:07 am
(@dcs1094)
Posts: 146
Estimable Member
 

Very little detail so cannot really offer much at present, but have dropped you a PM if you need further support. As already mentioned, they likely have maintained persistence and will now be carrying out actions on objectives (think of the cyber kill chain methodology). If you are unable to identify the threats or carry out the remediation, i.e. block the malicious activity, then you need to take it offline, or setup a private VLAN type environment to enable you to interact and carry out analysis. Furthermore, those backups are 1 day prior to when you said the rootkits were deployed, how do you know the attacker was not in your environment weeks, if not months before carrying out reconnaissance?

 
Posted : 10/12/2019 9:42 am
Share: