Re: IIS web server hacked..any tips?
Valdis.Kletnieks_at_vt.edu
Date: 12/16/04
- Previous message: Richard.Grant_at_ky.gov: "RE: IIS web server hacked..any tips?"
- In reply to: cta_at_hcsin.net: "Re: IIS web server hacked..any tips?"
- Next in thread: Dave Dodge: "Re: IIS web server hacked..any tips?"
- Reply: Dave Dodge: "Re: IIS web server hacked..any tips?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: cta@hcsin.net Date: Thu, 16 Dec 2004 12:08:50 -0500
On Wed, 15 Dec 2004 19:44:34 EST, "cta@hcsin.net" said:
> Just to add some sage advice… if you really want to ensure that the
> contents of a suspected compromised machine's virtual memory, as well as
> its hard drive are intact then I would NOT "pull the plug" i.e.,
> disconnect from network. An attacker with half a brain can easily load a
> watchdog program that automatically erases memory,
What percentage of attackers have half a brain? ;)
Yes, one *can* approach every single incident worrying that the attacker has
read things like Thompson's "On Trusting Trust", and possibly re-flashed your
system BIOS/microcode, and may actively be running a MITM attack at your ISP
so when you download a new BIOS, you get handed another trojaned BIOS.
But then, what % of the time do you have a uberhacker posing as a warez kiddie
using your site to store pirated DVD images of movies? For that matter, have
you performed steganographic analysis of those "movies" to make sure they
aren't *REALLY* cleverly disguised rootkits?
Yes, *IF* you have reason to suspect that your attacker is smarter than the
average bear^Wscript kiddie, you may want to come up with a better way to cut
them off the network than pulling the cable. But first convince yourself that
it isn't Yet Another Script Kiddie - you need to finish off this incident before
the next one arrives.
(If you're *really* tech-savvy, and the suspect machine has an ieee1394
port, you can have your cake and eat it too - use a "field-modified" iPod to
collect the evidence nice and fast without the hacker's knowledge, and THEN
pull the plug and proceed with the forensics. ;)
- application/pgp-signature attachment: stored
- Previous message: Richard.Grant_at_ky.gov: "RE: IIS web server hacked..any tips?"
- In reply to: cta_at_hcsin.net: "Re: IIS web server hacked..any tips?"
- Next in thread: Dave Dodge: "Re: IIS web server hacked..any tips?"
- Reply: Dave Dodge: "Re: IIS web server hacked..any tips?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
