Removing Compromised Computers from the Network
With the continued incidence of problems associated with computers that
have vulnerabilities exploited by worms, viruses, and other malware, the
Security Incident Response Team (SIRT) established
the following procedure for minimizing the impact of compromised and
vulnerable machines by disabling their access to the K-State data network
and the Internet:
- Unpatched, vulnerable systems and compromised systems will be
identified with the aid of scanning tools, intrusion-detection devices, external reports,
and other appropriate means of identifying anomalous network activity.
- Compromised systems will be blocked from accessing the K-State
network as soon as they are identified. It will typically not be feasible to give prior
notice to the individual using the affected system.
- The IP and MAC addresses of compromised systems will be posted on
the blocked hosts
webpage and Networking will send a network block message to the
SIRT-CONTACTS LISTSERV mailing list.
The block notification message will include the following information:
These communication channels will allow
departmental security contacts in each unit to locate and fix the blocked
systems. Note that you will not be contacted directly about a compromised
computer in your department. It's the responsibility of the departmental
security contact to watch the notices sent to the mailing list and identify computers
the security contact supports, so they can be fixed as quickly as possible.
- Subject heading of "Network Block Notification - <building name>"
- Brief explanation of why a computer has been blocked
- As much information as possible to aid in identifying the blocked computer
such as IP address, MAC address, hostname, etc..
- The security contacts for the compromised or vulnerable computer are
responsible for ensuring that it has been reinstalled or otherwise
appropriately secured before requesting the network block be removed.
The contact's SIRT representative
can provide advice on how to deal with the problem, but is not available
to assist with on-site technical support.
- If the compromised computer contains sensitive data, such as student
records, personnel files, personal identity data, or data covered by
export controls, shut the computer down and immediately contact the
your SIRT representative so forensic
analysis can be performed to determine if there is any chance that a
breach of the data occurred. This also applies if the compromised computer
might be involved in a criminal investigation since the hard drive(s) may
need to be preserved for evidence. In these cases, do not under any
circumstances reformat or otherwise alter the contents
of the hard drive(s) until cleared to do so by the OISC
or your SIRT representative. These same people can also advise
you on proper ways to preserve the integrity of evidence should the
computer need to be returned to production quickly.
- If the machine is infected with malware known to open a back door or
other type of trojan horse, and Step 5 above does not apply, the system
must be reformatted before the block will be removed. Reformatting the
hard drive and reinstalling the operating system and all applications is
the only way to guarantee all malware has been removed.
- Once the system has been repaired or patched, the network administrator
must contact their SIRT representative
or designated alternate, who will then send a message to the SIRT-BLOCKS
LISTSERV mailing list requesting removal of the network block. The unblock request message must include the following information:
- Have a subject heading of "Unblock request <building name>"
- Copy and paste the line from the blocked-hosts page
for the computer to be unblocked, (include IP address, MAC address, NetBIOS name, reason blocked, and date blocked)
- Briefly explain why removing the block is now justified
Only a SIRT member or designated alternate can request removal of the block.
Residential Networking staff in Housing and Dining Services at the
K-State Manhattan campus residence halls should contact the Coordinator
of Residential Networking or the SIRT member for Housing and Dining Services,
who will process the removal of the network block.
- Networking will remove the network block and remove the IP and MAC address from
the blocked hosts list, then notify the SIRT-BLOCKS mailing list.