Re: compromised network

From: Greg (pchandyman_at_ozemail.com.au)
Date: 01/03/04

  • Next message: Jack: "Re: home wireless router good practices for security"
    To: "Ansgar -59cobalt- Wiechers" <bugtraq@planetcobalt.net>, <security-basics@securityfocus.com>
    Date: Sat, 3 Jan 2004 10:40:46 +1100
    
    

    ----- Original Message -----
    From: "Ansgar -59cobalt- Wiechers" <bugtraq@planetcobalt.net>
    To: <security-basics@securityfocus.com>
    Sent: Saturday, January 03, 2004 6:04 AM
    Subject: Re: compromised network

    > On 2004-01-02 Greg wrote:
    > > Eg, let's say all is quiet and OK and the crap started happening, at
    > > the local timezone of that machine, at 11PM. Let's FURTHER say that
    > > the business has a once a week full backup with hourly incrementals.
    > > What the heck is the matter with going back to that SAME day at 10PM's
    > > incremental and restoring from that image/incremental?
    >
    > How do you make sure the intruder did not modify anything not covered by
    > those backups (e.g. install some additional backdoors)?

    You conveniently edited that bit out. The answer was already there so I'll
    requote it for you:

    "Now, after reinstalling from image/incremental, I would, as some have said,
    get someone in who really knows what he/she is doing to A) Make the
    possibility of it happening ever again as close to zero as it can be; B) Get
    rid of whatever the weakness was that allowed this to happen."

    >
    > The only reasonable thing to do in a situation like this is:
    >
    > - find out how the intruder got in

    Yes.

    > - rebuild the system from scratch

    Very BAD and WASTEFUL idea.

    > - close the door the attacker had used

    Well look at XP for example. Let's say you have an XPSP1 installation and
    for whatever reason you like, you decide to format and reinstall XP *BUT*
    the CD you have is PRE SP1. You have formatted and reinstalled. You are now
    open to Nachi and Blaster to name 2. So in closing one hole, you have just
    opened 2 others.

    > - restore backups where appropriate

    They are ALWAYS appropriate. If you are not using Image backups you are
    wasting a lot of time.

    > - then put the system(s) back online
    >
    > > Reformat and install from scratch? That is more or less, to me
    > > personally, like "My car is out of fuel! I better buy a new car!".
    >
    > Wrong.
    >

    Nope. In fact your idea is time wasteful, money wasteful and opens new holes
    that were patched before. You are wrong without a doubt! My way, you have
    restored to before the event occurred and you have called someone in who
    KNOWS what they are doing to find and patch the hole. Less time and money
    wasted.

    Greg.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Jack: "Re: home wireless router good practices for security"