[thelist] IIS Worm/Trojan Suggestion - Ghost Rollback

Ed emagin at onebox.com
Wed Sep 19 15:26:46 CDT 2001

One thing I've found most frustrating and time-consuming when dealing with
these various worms is the installation of all the patches, which sometimes
don't guarantee the removal of hidden Reg Key entries and other harm that
can only be undone MANUALLY.

So I follow this general policy.

Install a clean copy of OS onto C: partition/drive
Create a DOS partition the size of the C: partition
Set IE's security level to CUSTOM and do not allow ANY scripting, etc. -
Disable everything.
Add windowsupdate.microsoft.com to Trusted sites.
I update servers with all patches up to a base level (for IIS you can use
the Aug 21 Microsoft Cumulative patch).

Disconnect that ethernet
Set up any IIS shares, sites, test, disable any features you don't need,
Boot to DOS and Ghost an image of the C: partition (which should only have
the OS on it anyhow) to the DOS partition
Keep apps and other shares in the D:, etc. partitions.
Copy this Ghost image someplace handy, like on a CD.

When this worm stuff goes down, just do an OS rollback to that last base
level image.
Then you KNOW there is nothing harmful in the build.
Then go out (using secure IE settings) and download any new patches, update,
etc. from MS
If significant, rebuild a new base build with Ghost and store it for the
next attack.

After several rebuilds and updates, I have found that, after initial setup,
this method is fairly quick and foolproof. It gives you a peace of mind
factor that makes the extra setup time worth it.

Hope this helps.


More information about the thelist mailing list