Re: compromised network

From: Greg (pchandyman_at_ozemail.com.au)
Date: 01/03/04

  • Next message: Jack: "Re: home wireless router good practices for security"
    To: "Ansgar -59cobalt- Wiechers" <bugtraq@planetcobalt.net>, <security-basics@securityfocus.com>
    Date: Sat, 3 Jan 2004 10:40:46 +1100
    
    

    ----- Original Message -----
    From: "Ansgar -59cobalt- Wiechers" <bugtraq@planetcobalt.net>
    To: <security-basics@securityfocus.com>
    Sent: Saturday, January 03, 2004 6:04 AM
    Subject: Re: compromised network

    > On 2004-01-02 Greg wrote:
    > > Eg, let's say all is quiet and OK and the crap started happening, at
    > > the local timezone of that machine, at 11PM. Let's FURTHER say that
    > > the business has a once a week full backup with hourly incrementals.
    > > What the heck is the matter with going back to that SAME day at 10PM's
    > > incremental and restoring from that image/incremental?
    >
    > How do you make sure the intruder did not modify anything not covered by
    > those backups (e.g. install some additional backdoors)?

    You conveniently edited that bit out. The answer was already there so I'll
    requote it for you:

    "Now, after reinstalling from image/incremental, I would, as some have said,
    get someone in who really knows what he/she is doing to A) Make the
    possibility of it happening ever again as close to zero as it can be; B) Get
    rid of whatever the weakness was that allowed this to happen."

    >
    > The only reasonable thing to do in a situation like this is:
    >
    > - find out how the intruder got in

    Yes.

    > - rebuild the system from scratch

    Very BAD and WASTEFUL idea.

    > - close the door the attacker had used

    Well look at XP for example. Let's say you have an XPSP1 installation and
    for whatever reason you like, you decide to format and reinstall XP *BUT*
    the CD you have is PRE SP1. You have formatted and reinstalled. You are now
    open to Nachi and Blaster to name 2. So in closing one hole, you have just
    opened 2 others.

    > - restore backups where appropriate

    They are ALWAYS appropriate. If you are not using Image backups you are
    wasting a lot of time.

    > - then put the system(s) back online
    >
    > > Reformat and install from scratch? That is more or less, to me
    > > personally, like "My car is out of fuel! I better buy a new car!".
    >
    > Wrong.
    >

    Nope. In fact your idea is time wasteful, money wasteful and opens new holes
    that were patched before. You are wrong without a doubt! My way, you have
    restored to before the event occurred and you have called someone in who
    KNOWS what they are doing to find and patch the hole. Less time and money
    wasted.

    Greg.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Jack: "Re: home wireless router good practices for security"

    Relevant Pages

    • Re: FreeBSD for the common man(or woman) (was: > upgrade 7.2
      ... few steps to be taken, such as install it, set up which printer you ... I wanted to backup the client computers to the server. ... That's why you have a UNIX server for backups. ... since my Linux clients do things a little differently. ...
      (freebsd-questions)
    • Recovering from compromised system
      ... My RH8 system was hardened by Bastille, but I apparently forgot to install ... After booting a diskette and restoring from a clean backup, ... salvage some data from backups of the compromised system. ...
      (comp.os.linux.security)
    • Re: Recovering from compromised system
      ... > My RH8 system was hardened by Bastille, but I apparently forgot to install ... > decided that RHN was down. ... > After booting a diskette and restoring from a clean backup, ... > salvage some data from backups of the compromised system. ...
      (comp.os.linux.security)
    • Re: SBS 2003 missing file associations after uninstalling ArcServe
      ... registry from the repair folder in Windows. ... SBS or ArcServe install from day one. ... Agree with you Claus re backups, ... >>> after doing so the file associations in the registry got screwed up. ...
      (microsoft.public.windows.server.sbs)
    • Re: Maintain XP without problems
      ... I have had problems with upgrades in the ... I am going to use Chrome or foxfire so I do not plan on ... cards - so there have been repair installs, ... Backups are a big thing. ...
      (microsoft.public.windowsxp.general)