BrianDSy
asked on
What are best practice forensics after finding IRC bot
What are the best practices for followup to a bot removal? I was called on site to a clients small busines and found a very simple IRC bot installed that launched on startup and made no attempt to conceal itself. I was able to locate it without a great deal of time and effort, it was installed in a folder in System32\ but the ease with which I could find and remove it lead me to ask if there is false sense of security since the system scans show no virus and the system is working as expected. I cleaned a Storm Worm infected machine about two months ago and that was the most stubborn cleanup that I had seen in many years. With this one I deleted the folder and the registry entries and it was gone, just seemed too easy. The owner told me that he always ckill the applicaiton as soon as he booted up so I want to believe it never got past the immediate IRC logins.
In the properties of the executable the company name was 'GoHack, Inc.'
Bri
In the properties of the executable the company name was 'GoHack, Inc.'
Bri
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the feedback. My clients happy. I feel like I got the job done. There have been no further issues.
Brian
Brian
ASKER
Regards,
Brian