When it comes to workstations within most organizations, the solution when one gets infected is to wipe it and re-image it. However, when we're talking about servers, sometimes that's not a viable business option. I've been in that position. In those cases you do your best to remove any traces of infection and you hope you got them all.
Over at the Internet Storm Center there's a nice series going about all the places to look to prevent re-infection. Thus far it's up to four posts. Even if you don't currently have a server infected, it's a very good read. Some of these places are not ones where most IT pros think to look.
- Wipe the drive! Stealthy Malware Persistence Mechanism - Part 1
- Wipe the drive! Stealthy Malware Persistence Mechanism - Part 2
- Wipe the drive! Stealthy Malware Persistence Mechanism - Part 3
- Wipe the drive! Stealthy Malware Persistence Mechanism - Part 4
EDIT: Updated to include Part 4.
