My initial reaction would be somewhere in between shocked and oh well. In the end, I'd probably restore the last backup. In between, I'd try to determine how I was compromised, and assuming that it wasn't stupidity on my part, attempt to close the vulnerability after I restore the system.
Hmm. I picked "Nothing new, restore from backups," but now that I think about it that's the procedure for ITW Windows malware - the usual automated rubbish. Whereas I'm on Linux. Which means a compromise would be less likely, but if it did happen, it would probably be more serious. And more exotic. And more of a hastle to deal with. Actually that deserves its own thread, I think.
From my pov the backup is the "be all and end all" of the complete security & recovery package, so that no matter how shocking or surprising an exploit might be, it should result in nothing more than a minor inconvenience for the end user. In all actuality, the backup will probably be used more to recover from a broken system than for an exploited one. I've used it several times in this case. Keeping sensitive data off the machine or encrypted is, imho, a close second in importance.
Depending on what type of exploit but it would be bemusement at first and then try and get rid of it and clean up the system etc so on so forth....... It would be interesting though hunting it down and trying to figure out how it got in.
If someone is smart enough to get into my system I very much doubt I'll notice it. If I did, I'd take the system offline, analyze it, attempt to determine how they got in, etc. Once I had all of that information I would take steps to repair the situation, either cleaning it up or wiping the system, and then hardening it against further attack.
There are other actions to take besides what you have listed, depending on what sensitive info you have on your HD. For instance, I would cancel all credit cards and ask for replacements. If your machine holds sensitive data affecting others (like credit reports or applications, etc.), then it becomes your responsibility to contact those people and let them know what has happened. Simply reacting with something between a ho-hum and surprise, then restoring an image, is really only part of the process. Think of the email files that may have been compromised and what the culprit now knows about friends, family and associates. Anyone who says they "restore and move on", seems to me, is overlooking a vast amount of damage control.
I would simply be annoyed and, quite honestly, would feel pity that someone hacked into a home system that contains absolutely no important or sensitive data. Even if all they desire is to use me as a part of a botnet, I will simply reload the OS and every other software package I have from scratch. No possibly compromised backup images, no thumb drives, nothing. After that I will change every website password not because I feel they might be compromised, but simply because. If I have even the slightest suspicion or doubt about the security of any financial accounts, I will have cards destroyed and renewed. After that, there is really nothing that can be done but to move on and be more vigilant.
Yes, one thing you can bank on around here... when a poll is created, there are plenty of participants waiting to tell the OP how it could have been made better. Btw, one of the most astute responses so far came from Hungry Man...
I don't have any reaction above these polls. But my reaction will rather be. "Oh no you don't! Time Slipped!!" Toolwiz Time Freeze can cure all my shock. Revert everything back to time like Deepfreeze. I always use this when I can't handle the LassBoss virus. Beside Toolwiz is 100% free even made me completly forgot a about CCleaner.
I picked the Other option. First I would try to figure out how I got exploited. For me there is no point in restoring a system image if I don't close the door that let the bad guys in. When I'd figure out what was going on, I would restore an image and close the exploit. If that would not be possible, I would change problematic program or OS.
" Shocked. How could this happen to me!? Will wipe drive and restore a recent backup image. " But really not shocked, rather: who wanted to exploit me, and why ?
First thing take the machine off line, isolate our LAN from other connected networks (WAN/Internet) see if rest of network machines and data has been compromised and take those offline, reset passwords, expire certificates, informing any one else who could be at risk before even think about looking at infected machine.
When you have found, that your system(s) has been exploited, then comes the analytical part. What has happened, damage control and what to do to prevent a situation like this. If you are able to, then simulate the situation that lead to the exploitation of your systems, to see if you have implemented the right tools, to handle a situation like this again, in your network. Besides that, then I think that Page42 is spot on with his post, that you may need to warn people/friends on your mail list, and you may also need to replace credit card informtion just in case. Regards Janus
Clearly a lot more involved than with a home system. What is done to recover the infected machine(s)? Is it reloaded with a COE or some other method used?
I would check "Not shocked and will have fun to clean it and go to a previous snapshot". I have on my PC Eaz-Fix 9.1 and CTM 2.8.
I'd be pretty shocked if it happened to me despite the measures I've taken. And I'd reformat my box altogether, not just reimage. I'm OCD about that kinda stuff. I'd reimage if it were a user error or some glitch, but an infection and I couldn't sleep until I wrote zeros to every sector of the drive and started from formula.