Re: MSBlast and other known exploits..
From: Jay Woody (jay_woody_at_tnb.com)
Date: 08/15/03
- Previous message: Eric van Wiltenburg: "Microsoft 'extinguishes' windowsupdate.com"
- Maybe in reply to: Micheal Patterson: "MSBlast and other known exploits.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 15 Aug 2003 10:09:37 -0500 To: <incidents@securityfocus.com>, <keydet89@yahoo.com>
>> 1. If the infection isn't Admin or System-level, why
>> rebuild?
Apples and Oranges. We are talking here about Admin and System level,
so that is what my recommendation is concerning. I guess maybe I am a
little slow here. I am not aware of something that I would consider
compromised that isn't, at least in part, at an admin or system level.
Can you maybe give me an example of a compromise at a non-admin level
and maybe I can go from there.
>> 2. If a blind, unqualified rebuild is done, what
>> happens?
Hopefully you lose your job I guess. What idiot in his right mind
would do or recommend a "blind, unqualified rebuild". My point was in
this case, you know that you were compromised and you know how and why.
Research it to your hearts content, but when it is time to fix it, the
only truly secure way is a rebuild. The people in this equation that
are doing blind and unqualified things seem to be the ones that are
blindly trusting the cleaners to get everything off their system.
>> If nothing is done to determine *how* the
>> incident occurred, then what happens?
Uh, I guess you ride the little bus to school tomorrow.
>> The system could be very quickly reinfected,
>> leading to an endless cycle of infections and
>> re-installs.
Riiiight, but running a cleaner prevents this? Uh, nope. But
rebuilding and patching does.
>> Or worse, the subsequent incident could be far
>> deeper and far more stealthy.
But you would always have cleaner to protect you.
JayW
>>> Harlan Carvey <keydet89@yahoo.com> 08/14/03 05:51PM >>>
Jay,
> Another example of why rebuilding is ALWAYS the most
> secure answer when
> a machine has been compromised. I have a feeling
> that many of you that
> are just blindly trusting these cleaners are going
> to find out that this
> isn't enough. My 2 cents. Rebuild.
Just a couple of thoughts...
1. If the infection isn't Admin or System-level, why
rebuild?
2. If a blind, unqualified rebuild is done, what
happens? If nothing is done to determine *how* the
incident occurred, then what happens? The system
could be very quickly reinfected, leading to an
endless cycle of infections and re-installs. Or
worse, the subsequent incident could be far deeper and
far more stealthy.
Harlan
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
- Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at:
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------
- Previous message: Eric van Wiltenburg: "Microsoft 'extinguishes' windowsupdate.com"
- Maybe in reply to: Micheal Patterson: "MSBlast and other known exploits.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
