To answer both questions at once: The tool we used to use is fading away and a new one is emerging, but the concept is the same in both cases. The main drive partition (i.e. C:) is configured as the admin wants it and the hidden/backup version of it is created. You can set the flag to restore that hidden version on demand, on a failure, or on every reboot. In the case of a public library scenario, you might set it to restore itself at every reboot and then reboot the server after the library closes each night. In terms of local data that needs to be updated, you simply update that info and set the flag to recreate the hidden backup on this new version. We deployed this scenario on laptops for a major financial institution. They send a user home with a corporate laptop with a C: and a D: drive. The user can store data on D:, but every time they reboot the C: is restored to the clean state. Regards, Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd. suite D8453 Scottsdale, AZ 85262 (602) 432-8649 (602) 296-0411 fax steveg@xxxxxxxxxxxxxx -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Adam.Baum@xxxxxxxxxxxxxx Sent: Monday, July 14, 2003 7:15 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts How do you handle the monlthy (or so) changes to the SecureChannel password and other windows administrivia that goes on behind the scenes? adam "Steve Greenberg" <steveg@thinclien To: <thin@xxxxxxxxxxxxx> t.net> cc: Sent by: Subject: [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts thin-bounce@freel ists.org 07/12/2003 10:25 AM Please respond to thin >You never know where patrons are browsing or what they are loading on a >public terminal or what is stuck in cache on your > Citrix servers. JK This raises a new application for some of the recovery tools we use. One of them restores the server system disk to the state it was saved in every time the server reboots. For a public situation like a library, you could reboot the server each night and in the process restore it to the clean state it was built in. Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd. suite D8453 Scottsdale, AZ 85262 (602) 432-8649 (602) 296-0411 fax steveg@xxxxxxxxxxxxxx -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Kenzig Sent: Friday, July 11, 2003 12:10 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: OT: FW: New trojan turns home PCs into porno Web site hosts Things like this scare the crap out of me being the network manager for a Library! You never know where patrons are browsing or what they are loading on a public terminal or what is stuck in cache on your Citrix servers. JK -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Chris Lynch Sent: Friday, July 11, 2003 2:45 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] OT: FW: New trojan turns home PCs into porno Web site hosts -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Very interesting... Chris - -----Original Message----- From: Richard M. Smith [mailto:rms@xxxxxxxxxxxxxxxxxxxx] Sent: Thursday, July 10, 2003 7:49 PM To: BUGTRAQ@SECURITYFOCUS. COM Subject: New trojan turns home PCs into porno Web site hosts Hi, Some individual appears to have hijacked more than a 1,000 home computers starting in late June or early July and has been installing a new trojan horse program on them. The trojan allows this person to run a number of small Web sites on the hijacked home computers. These Web sites consists of only a few Web pages and apparently produce income by directing sign-ups to for-pay porno Web sites through affiliate programs. Spam emails messages get visitors to come to the small Web sites. To make it more difficult for these Web sites to be shut down, a single home computer is used for only 10 minutes to host a site. After 10 minutes, the IP address of the Web site is changed to a different home computer. The hacker is able to do this quick switching because he has installed DNS name servers for his domains on other home computers under his control. The DNS name servers specify that a hostname-to-IP-address mapping should only live for 10 minutes. Over the long July 4th weekend, some of these same Web servers were used in an apparent phishing scam to collect stolen PayPal passwords and credit card numbers. Silicon.com has an article about this scam: Russian hackers behind fake PayPal email scam? http://silicon.com/news/500013-500001/1/5061.html Joe Stewart of LURHQ has obtained a copy of the trojan which he has named Migmaf. His analysis of the trojan can be found on the LURHQ Web site: http://www.lurhq.com/migmaf.html The initial theory was that the trojan was installing a mini-Web server on hacked computer to host the porno Web sites. However, Joe's analysis shows that the Trojan is actually a reverse HTTP proxy that makes a home computer act as a front for a home base Web server. The New York Times is also running an article about the trojan in its July 11th edition of the paper: http://www.nytimes.com/2003/07/11/technology/11HACK.html?hp Some of the domain names used by the Web sites of the trojan are: onlycoredomains.com pizdatohosting.com bigvolumesites.com wolrdofpisem.com arizonasiteslist.com nomorebullshitsite.com linkxxxsites.com I've been monitoring these domains since July 5th and found over 2,000 unique IP address used by hosts in these domains. Almost all of these IP addresses are for commercial ISPs used by home computer users. AOL.COM was the most used ISP. One interesting feature of the trojan is that it times the connection speed of a home computer that it is running on and reports the connection speed back to home base. The home base computer seems to only select a computer to run a reverse proxy server or the DNS name server if the computer has a high-speed cable or DSL Internet connection. It is not known at the present time how the trojan gets installed on people's computers. My theory is that the Sobig.e virus might be involved, but the evidence is not strong at the moment. Richard M. Smith http://www.ComputerBytesMan.com -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 Comment: Public PGP key for Chris Lynch iQA/AwUBPw8Fj29fg+xq5T3MEQI5bQCeI/vYN3TTSKvwg/vsns66PkX/ObAAn2rJ CP4a8O1GbBrot/0i5PgpoZf4 =D5ec -----END PGP SIGNATURE----- ******************************************************** This weeks sponsor - RTOSoft TScale Complaints about applications response time - DO SOMETHING ABOUT IT! TScale 2.0 improves applications response time and increases terminal server capacity. Really get MORE from your existing servers! Free eval: http://www.rtosoft.com/enter.asp?id=130 ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This weeks sponsor - RTOSoft TScale Complaints about applications response time - DO SOMETHING ABOUT IT! TScale 2.0 improves applications response time and increases terminal server capacity. Really get MORE from your existing servers! Free eval: http://www.rtosoft.com/enter.asp?id=130 ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This weeks sponsor - RTOSoft TScale Complaints about applications response time - DO SOMETHING ABOUT IT! TScale 2.0 improves applications response time and increases terminal server capacity. Really get MORE from your existing servers! Free eval: http://www.rtosoft.com/enter.asp?id=130 ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This weeks sponsor - RTOSoft TScale Complaints about applications response time - DO SOMETHING ABOUT IT! TScale 2.0 improves applications response time and increases terminal server capacity. Really get MORE from your existing servers! Free eval: http://www.rtosoft.com/enter.asp?id=130 ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This weeks sponsor - IDP ServerBoss Restrict, Manage and Control Access to your applications and other valuable Citrix, Windows NT, 2000 and 2003 Server Resources http://www.serverboss.com/default.asp?partner=thethin ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm