Q: What is containment action after Virus is found

Ow Mun Heng ow.mun.heng at wdc.com
Thu Apr 8 12:42:48 UTC 2004

Hi Guys,

	Need some guidance. Looking through my server's shares, (SAMBA)
I noticed a number of rougue files (How to hack websites.exe etc..)
I've already moved these files to a temp directory for the time being.

I've informed the users of the server of the viruses and advised them to
perform a scan of their PCs.

I've disabled the account which was the source of infection until further 
notice as well.

As I'm going through the system, I noticed that the virus has actually been 
in the system for 2 days. Enough to populate to my "mirrordir" directory,
my snapshots as well as my rsync snapshots.

I've not removed these files from the backups. 
(I'm thinking that - No one has access to these files and it will recover
by tomorror (for my mirrordir) and a couple of days for my snapshots to come

SO.. what are your comments?

Cheers,                                                 .^.
Mun Heng, Ow                                            /V\
H/M Engineering                                       /(   )\
Western Digital M'sia                                  ^^-^^
DID : 03-7870 5168                          The Linux Advocate


More information about the users mailing list