RE: First time security issue.

• Previous message: John Ives: "Re: First time security issue."
• In reply to: Harlan Carvey: "Re: First time security issue."
• Next in thread: Harlan Carvey: "Re: First time security issue."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <incidents@securityfocus.com>
Date: Wed, 23 Jul 2003 14:58:11 +1200

> -----Original Message-----
> From: Harlan Carvey [mailto:keydet89@yahoo.com]
> Sent: Wednesday, 23 July 2003 8:56 a.m.
> To: incidents@securityfocus.com
> Subject: Re: First time security issue.
>
> What about the "how"? If the original poster (OP)
> never discovers how the original compromise occurred,
> then rebuilding the system does nothing but wastes
> time. Rebuilding and updating the patches may help,
> but there are great deal of things that patching
> doesn't protect against, such as misconfigurations and
> weak passwords.

I'd agree with Harlan here.

However, the process itself depends upon the business needs in front of the
OP.

In any case, my suggestion would be to reinstall the system and apply all
patches on it. Also, before this, OP should make a HDD image copy so he can
do forensics on it and eventually find out what happened with it.

According to what the OP wrote, and as Harlan said as well, I doubt this is
related to any Windows NT rootkit. Most of the cases I had experience with,
and which had ServU/IRC-bot being setup, are related to script kiddies which
just want to collect more machines and use public well-known exploits (or
weak passwords etc.).

Best regards,

Bojan Zdrnja

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: John Ives: "Re: First time security issue."
• In reply to: Harlan Carvey: "Re: First time security issue."
• Next in thread: Harlan Carvey: "Re: First time security issue."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]