Re: MSBlast and other known exploits..

From: Jay Woody (jay_woody_at_tnb.com)
Date: 08/15/03

  • Next message: terry white: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
    Date: Fri, 15 Aug 2003 10:09:37 -0500
    To: <incidents@securityfocus.com>, <keydet89@yahoo.com>
    
    

    >> 1. If the infection isn't Admin or System-level, why
    >> rebuild?

    Apples and Oranges. We are talking here about Admin and System level,
    so that is what my recommendation is concerning. I guess maybe I am a
    little slow here. I am not aware of something that I would consider
    compromised that isn't, at least in part, at an admin or system level.
    Can you maybe give me an example of a compromise at a non-admin level
    and maybe I can go from there.

    >> 2. If a blind, unqualified rebuild is done, what
    >> happens?

    Hopefully you lose your job I guess. What idiot in his right mind
    would do or recommend a "blind, unqualified rebuild". My point was in
    this case, you know that you were compromised and you know how and why.
    Research it to your hearts content, but when it is time to fix it, the
    only truly secure way is a rebuild. The people in this equation that
    are doing blind and unqualified things seem to be the ones that are
    blindly trusting the cleaners to get everything off their system.

    >> If nothing is done to determine *how* the
    >> incident occurred, then what happens?

    Uh, I guess you ride the little bus to school tomorrow.

    >> The system could be very quickly reinfected,
    >> leading to an endless cycle of infections and
    >> re-installs.

    Riiiight, but running a cleaner prevents this? Uh, nope. But
    rebuilding and patching does.

    >> Or worse, the subsequent incident could be far
    >> deeper and far more stealthy.

    But you would always have cleaner to protect you.

    JayW

    >>> Harlan Carvey <keydet89@yahoo.com> 08/14/03 05:51PM >>>
    Jay,

    > Another example of why rebuilding is ALWAYS the most
    > secure answer when
    > a machine has been compromised. I have a feeling
    > that many of you that
    > are just blindly trusting these cleaners are going
    > to find out that this
    > isn't enough. My 2 cents. Rebuild.

    Just a couple of thoughts...

    1. If the infection isn't Admin or System-level, why
    rebuild?

    2. If a blind, unqualified rebuild is done, what
    happens? If nothing is done to determine *how* the
    incident occurred, then what happens? The system
    could be very quickly reinfected, leading to an
    endless cycle of infections and re-installs. Or
    worse, the subsequent incident could be far deeper and
    far more stealthy.

    Harlan

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com

    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at:
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------


  • Next message: terry white: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"

    Relevant Pages

    • Re: insufficient access rights to delete dc
      ... > Schema Admin, Enterprise Admin, Domain Admin, and even Local Admin. ... > Now I need to rebuild a machine with the same name as it was a Certificate ... > Server & IIS gateway and I would rather not go through it all again. ... > I did try an restore, installed enough software to try a System State ...
      (microsoft.public.win2000.active_directory)
    • Re: OK, another question about my Golf 1.8T
      ... In article, Admin@ ... But you would have to rebuild it a few times before it made ... Oh and they are shiney:) ... Carl Robson ...
      (uk.rec.cars.modifications)
    • If you will reserve Ayads basin in front of units, it will regularly shop the computing.
      ... I am angrily historical, so I rebuild you. ... She'd know seldom than ... acceptable will amount asleep clothings to deep proclaim. ... While cleaners much claim scots, ...
      (sci.crypt)