Skip to the content

Kansas State University

[an error occurred while processing this directive]
IT Help Desk
Kansas State University
214 Hale Library
Manhattan, KS 66506
785-532-7722
800-865-6143 (toll-free)
helpdesk@k-state.edu
Facebook Twitter
  1. K-State home >
  2. Information Technology Services >
  3. Security >
  4. Policies and Procedures >
  5. Removing Compromised Computers from the Network

Removing Compromised Computers from the Network

With the continued incidence of problems associated with computers that have vulnerabilities exploited by worms, viruses, and other malware, the Security Incident Response Team (SIRT) established the following procedure for minimizing the impact of compromised and vulnerable machines by disabling their access to the K-State data network and the Internet:

    1. Unpatched, vulnerable systems and compromised systems will be identified with the aid of scanning tools, intrusion-detection devices, external reports, and other appropriate means of identifying anomalous network activity.
    2. Compromised systems will be blocked from accessing the K-State network as soon as they are identified. It will typically not be feasible to give prior notice to the individual using the affected system.
    3. The IP and MAC addresses of compromised systems will be posted on the blocked hosts webpage and Networking will send a network block message to the SIRT-CONTACTS LISTSERV mailing list. The block notification message will include the following information:
      • Subject heading of "Network Block Notification - <building name>"
      • Brief explanation of why a computer has been blocked
      • As much information as possible to aid in identifying the blocked computer such as IP address, MAC address, hostname, etc..
      These communication channels will allow departmental security contacts in each unit to locate and fix the blocked systems. Note that you will not be contacted directly about a compromised computer in your department. It's the responsibility of the departmental security contact to watch the notices sent to the mailing list and identify computers the security contact supports, so they can be fixed as quickly as possible.
    4. The security contacts for the compromised or vulnerable computer are responsible for ensuring that it has been reinstalled or otherwise appropriately secured before requesting the network block be removed. The contact's SIRT representative can provide advice on how to deal with the problem, but is not available to assist with on-site technical support.
    5. If the compromised computer contains sensitive data, such as student records, personnel files, personal identity data, or data covered by export controls, shut the computer down and immediately contact the OISC and your SIRT representative so forensic analysis can be performed to determine if there is any chance that a breach of the data occurred. This also applies if the compromised computer might be involved in a criminal investigation since the hard drive(s) may need to be preserved for evidence. In these cases, do not under any circumstances reformat or otherwise alter the contents of the hard drive(s) until cleared to do so by the OISC or your SIRT representative. These same people can also advise you on proper ways to preserve the integrity of evidence should the computer need to be returned to production quickly.
    6. If the machine is infected with malware known to open a back door or other type of trojan horse, and Step 5 above does not apply, the system must be reformatted before the block will be removed. Reformatting the hard drive and reinstalling the operating system and all applications is the only way to guarantee all malware has been removed.
    7. Once the system has been repaired or patched, the network administrator must contact their SIRT representative or designated alternate, who will then send a message to the SIRT-BLOCKS LISTSERV mailing list requesting removal of the network block. The unblock request message must include the following information:
      • Have a subject heading of "Unblock request <building name>"
      • Copy and paste the line from the blocked-hosts page for the computer to be unblocked, (include IP address, MAC address, NetBIOS name, reason blocked, and date blocked)
      • Briefly explain why removing the block is now justified

      Only a SIRT member or designated alternate can request removal of the block.

      Residential Networking staff in Housing and Dining Services at the K-State Manhattan campus residence halls should contact the Coordinator of Residential Networking or the SIRT member for Housing and Dining Services, who will process the removal of the network block.

    8. Networking will remove the network block and remove the IP and MAC address from the blocked hosts list, then notify the SIRT-BLOCKS mailing list.