• IT Security Home
• 
  Best Practices
• Email Risks
• ID Theft
• Mac Security
• Mobile Device Security
• Malicious Software
• K-State IT Security Team
• Policies & Procedures
• IT Security Blog
• Security Training Events
• SIRT
• 
  PGP Encryption Software
• 
  Other security Resources

• IT Help Desk
• IT index
• IT policies
• IT units
• IT newsletter

IT Help Desk
Kansas State University
214 Hale Library
Manhattan, KS 66506
785-532-7722
helpdesk@k-state.edu

Policies

• SSN Security
• Information Security Plan
• Security for Information
• Info Tech Usage
• Prohibitted File Sharing
• Desktop Search Products

Procedures

• Compromised Computers
• Vulnerability Alerts
• Computer Forensics
• Copyright Infringement
• Incident Management

---

More security related sites

• Antivirus software
• eIDs
• Passwords
• Realtime Block Lists
• Spam and filtering

Archive

The IT security archive contains more topics and previous security issues.

Security channels

• SECURITY-ALERTS mailing list
• InfoTech Tuesday weekly newsletter
• IT status page

Procedure for Removing Compromised Computers From the Network

revised Dec. 2, 2005. Updates: Aug. 11, 2006; Feb. 19, 2008

With the continued incidence of problems associated with computers that have vulnerabilities exploited by worms, viruses, and other malware, the Security Incident Response Team (SIRT) established the following procedure for minimizing the impact of compromised and vulnerable machines by disabling their access to the K-State data network and the Internet:

1. Unpatched, vulnerable systems and compromised systems will be identified with the aid of scanning tools, intrusion-detection devices, and other appropriate means of identifying anomalous network activity.
2. Compromised systems will be blocked from accessing the K-State network as soon as they are identified. In the case of K-State-affiliated sites such as the residence halls and Greek and scholarship houses, it may be necessary to block the entire hall or house from the network, even if only one computer at the location is vulnerable. This will vary depending on the severity of the incident. It may not be feasible to give prior notice to the individual using the affected system.
3. The IP and MAC addresses of compromised systems will be posted on the blocked hosts webpage and the SIRT-CONTACTS LISTSERV mailing list for departmental security contacts.
   
   These communication channels will allow designated contact personnel in each unit to locate and fix the blocked systems. Note that you will not be contacted directly about a compromised computer in your department. It's up to you to watch the notices sent to the mailing list and identify computers that you support, so they can be fixed as quickly as possible.
   • Computers in the K-State Manhattan campus residence halls will be blocked in Bradford Campus Manager with the reason for disabling access posted to the SIRT-CONTACTS mailing list.
4. The security contacts for the compromised or vulnerable computer are responsible for ensuring that it has been reinstalled or otherwise appropriately secured before requesting that its network block be removed. The contact's SIRT representative can provide advice on how to deal with the problem, but is not available to assist with on-site technical support.
   • Individuals needing technical assistance may contact the IT Help Desk in 214 Hale Library, 785-532-7722, helpdesk@k-state.edu.
   • Campus departments needing assistance with repairs may use the fee-based services of the Technology Service Center in 121 East Stadium, 785-532-6314, techservices@k-state.edu.
5. If the compromised computer contains sensitive data, such as student records, personnel files, personal identity data, or data covered by export controls, shut the computer down and immediately contact the K-State IT Security Officer and your SIRT representative, so forensic analysis can be performed to determine if there is any chance that a breach of the data occurred. This also applies if the compromised computer might be involved in a criminal investigation, since the hard drive(s) may need to be preserved for evidence. In these cases, do not under any circumstances reformat or otherwise alter the contents of the hard drive(s) until cleared to do so by the K-State IT Security Officer or your SIRT representative. These same people can also advise you on proper ways to preserve the integrity of evidence should the computer need to be returned to production quickly.
6. If the machine is infected with malware known to open a back door or other type of trojan horse, and Step 5 above does not apply, the system must be reformatted before the block will be removed. Reformatting the hard drive and reinstalling the operating system and all applications is the only way to guarantee all malware has been removed.
7. Once the system has been repaired or patched, the network administrator must contact their SIRT representative or designated alternate, who will then send a message to the SIRT-BLOCKS LISTSERV mailing list requesting removal of the network block. The unblock request message must include the following information:
   • Have a subject heading of "Unblock request <building name>"
   • Copy and paste the line from the blocked-hosts page for the computer to be unblocked, (include IP address, MAC address, NetBIOS name, reason blocked, and date blocked)
   • Briefly explain why removing the block is now justified

   Only a SIRT member or designated alternate can request removal of the block.

   Residential Computing staff in Housing and Dining Services at the K-State Manhattan campus residence halls should contact the Coordinator of Residential Computing or the SIRT member for Housing and Dining Services, who will process the removal of the network block.

8. Network Technologies will remove the network block and remove the IP and MAC address from the blocked hosts list, then notify the SIRT-BLOCKS mailing list.