Whats this?

You are most likely reading this because you are suddenly unable to connect to one or more of our IRC servers. Most likely, you have gotten an error message similar to the following when you tried to connect:

*** Banned: Trojan infected system - see www.chatster.org/compromised.html

This is an indication of any of the following very serious problems:

• Your system is infected with a virus.
• Your system is infected with a trojan horse (similar to a virus).
• Your system has been hacked.
• Your system is being used without your knowledge as part of criminal attacks against other computers.

When IRC Operators detect evidence of any of the above problems, they typically will apply klines (bans from individual servers) or glines (bans from most of chatster) to remove the affected systems from IRC. This is done to protect the IRC network, other IRC users, as well as the affected systems.

Ok, so now what?

For the protection of your computer, as well as to prevent harm to other computer users, it is of the utmost importance that you secure your system as quickly as possible. This includes disconnecting your system from the internet except as absolutely needed as part of your recovery effort. So long as your system is infected or backdoored, it is a threat to other computers across the internet. It would be an act of negligence to allow your system to remain in a compromised state, and this could potentially expose you to legal action.

As this is a very lengthly document, you may find it helpful to print it out for reference.

Very Important: If you do not feel you have the technical knowledge to secure your system, you are strongly urged to disconnect your computer from the internet, and seek professional assistance. A good computer shop can help you recover your system without losing any of your important files.

There is a very good possibility that following the steps below will resolve the problem, however, you should be aware that once an attacker has had full access to your system, you have no way of knowing to what degree the system has been tampered with. While fairly uncommon, it is entirely possible to replace parts of the operating system so that files added or modified by a backdoor cannot be detected by any software running under that system. A reformat and reinstallation of the operating system from trusted media is the only 100% positive way to insure that a compromised system has been made secure.

With that said, most compromises under Windows systems are NOT that sophisticated, and use common backdoor trojans, which are easily detected with good, updated antitrojan and antivirus software. If you wish to attempt to recover without a reformat, following the steps below will probably correct the problem, however, when following this procedure, there is no way to know for certain that all backdoors are gone from the compromised system.

Windows Systems

1. Completely delete all copies of mIRC on your system, including associated configuration files and scripts. (Many trojans tamper with mIRC settings in order to give an attacker access to your computer or in order to propigate. This step, and the later reinstallation of mIRC should repair any unauthorized changes to your mIRC settings.)
2. Scan your computer with an updated trojan scanner in order to detect any know trojan horse programs. Install updates to the trojan scanner first, and then go offline while scanning, this prevents a malicious user with control over your computer from interfering with the scan. Be sure to follow the configuration instructions recommended by hackfix.org to ensure that the scanner doesn't miss anything.
3. Scan your computer with an updated virus scanner in order to detect any infected files the trojan scanner may have missed. Again, you should go offline after you apply any needed updates. The configuration instructions at www.hackfix.org should be followed as well.
4. If your virus scanner will not run, or will not run properly, try rebooting to safe mode.
5. If your virus scanner still will not run/run properly, try uninstalling and reinstalling it.
6. If your virus scanner still fails to run properly even after rebooting to safe mode and reinstalling it, try the online scanner at http://housecall.antivirus.com.
7. After running your trojan scanner and virus scanner to remove the infected files, restart your computer, and scan again. Some files may have been in use at the time of the first scan, a second scan should detect these and remove them. Continue to restart and rescan until no more infected files are found.
8. If you have access to antivirus recovery disks, boot the system from those disks and use them to perform another scan to catch stealth viruses, some viruses are impossible to detect while they are loaded into memory.
9. Apply security updates from Microsoft http://windowsupdate.microsoft.com
10. Reinstall a clean copy of mIRC from http://www.mirc.co.uk. If prompted to save settings, click no, cancel the installation, and make sure you removed all mIRC-related files and directories from the old mIRC installation.
11. Review operating system and application configuration settings for any changes that an attacker may have made. In particular, under Windows NT/2000/XP, check to see if any undesireable services have been enabled, and check to see if any user accounts have been added.
12. Change all your passwords, as many backdoor trojans include keystroke loggers, password database crackers, and other means of stealing passwords.
13. Monitor the system for further evidence of tampering. Any unexpected behavior should be thoroughly investigated. If you are not sure you successfully removed all backdoors from the system, you should reconsider the option of reformatting the machine.

UN*X/Linux Systems

Due to the widespread use of sophisticated rootkits on *nix systems, in place recovery is not advised. If you have integrity checking software such as tripwire in use, with a trusted database on trusted media, you may be able to use it from a boot disk to bypass the installed (and presently untrusted) operating system and determine which files have been tampered with. Otherwise you should proceed directly to http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

Getting Unklined/Unglined

Many klines for infected systems are temporary klines. In this case, you'll usually be allowed on within 24 hours of fixing your system. ALL glines are temporary, the expiration period however depends on the server. Most servers expire glines after 12 hours, some may take a bit longer.

After you fix your system, allow 24 hours for temporary klines to expire, after that, if there are servers which still have you klined, you will need to contact the administration of those servers to have the klines removed. If you can get on IRC at all, you can use /admin <servername> to get the administrative contact info for a server.

--

Special thanks to EFnet for supplying helpful documentation.