Yesterday we started with the Eradication phase of the Incident Handling process. If the incident involves the usage of a rootkit, there is a first question that always needs to be answered: To rebuild or not to rebuild, that is the question! ;) Imagine an irreplaceable system was compromissed and a rootkit was installed. What methodology can you follow and what specific actions (and tools) can you take (and use) to eradicate the rootkit? There are a few situations were you can find yourself in this kind of scenario, dealing with high availability systems that have unique hardware components that cannot be easily installed on another node (for example, in the medical sector), or situations where a working backup is not available. If you have been involved in incidents that required removing rootkits and have any anecdotes or ideas you can share, please send them to us via our contact page. Please, be sure to put something in the subject like "Security Tip, day 20" to make it easier for us to sort them. We will update this diary with your comments and thoughts throughout the day, so start sending them in. -- |
Raul Siles 152 Posts Oct 20th 2008 |
Thread locked Subscribe |
Oct 20th 2008 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!