Re: Strange servicepack.exe file (not service.exe) found.

dreamwvr_at_dreamwvr.com
Date: 12/19/03

  • Next message: Paul Murphy: "RE: Need two files for testing" 
    Date: Thu, 18 Dec 2003 20:01:33 -0700
To: incidents@securityfocus.com

    On Thu, Dec 18, 2003 at 08:35:35AM -0800, David Gillett wrote:
    > Paradoxically, I find many Linux admins perversely prone
    > to trying to do minimal cleanup to a box that is found to
    > be compromised, without much effort to discover what *else*
    > has been done to the box in its "compromised, but not yet
    > detected" state, a period for which records such as local
    > logs cannot be trusted. (Did the discovered compromise
    balderdash. I have yet to meet the Linux or BSD admin including
    myself whom ever 'just' removes what they think is tainted.
    0r -T if you like. At the bare minimum anyone doing *NIX will
    wipe the hardrive completely clean and start from a known
    clean state and or backup. This sounds too much like windows
    techno babble switcheroo for my taste. Some_do tend to
    freeze the drive for forensic analysis:) however they do not
    tend to 'ever' be so "perversely prone to do a minimal cleanup.."
    Basic compromise 101 in NIX world is to wipe the drive clean
    and go from there with all applied patches unplugged from the network.

    Regards,
    dreamwvr@dreamwvr.com 

    -- 
/*  Security is a work in progress - dreamwvr                 */
#                               48 69 65 72 6F 70 68 61 6E 74 32
# Note: To begin Journey type man afterboot,man help,man hier[.]      
# 66 6F 72 20 48 69 72 65                              0000 0001
// "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \?  ;-]
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Paul Murphy: "RE: Need two files for testing"