RE: compromised network

From: Mike (mike_at_superiorholidayadventures.ca)
Date: 01/05/04

  • Next message: Greg Tracy: "Re: home wireless router good practices for security"
    Date: Mon, 5 Jan 2004 12:00:46 -0500
    To: <security-basics@securityfocus.com>
    
    

    > > > Eg, let's say all is quiet and OK and the crap started happening,
    at
    > > > the local timezone of that machine, at 11PM. Let's FURTHER say
    that
    > > > the business has a once a week full backup with hourly
    incrementals.
    > > > What the heck is the matter with going back to that SAME day at
    10PM's
    > > > incremental and restoring from that image/incremental?
    > >
    > > How do you make sure the intruder did not modify anything not
    covered by
    > > those backups (e.g. install some additional backdoors)?
    >
    > You conveniently edited that bit out. The answer was already there so
    I'll
    > requote it for you:
    >
    >
    > "Now, after reinstalling from image/incremental, I would, as some have
    > said,
    > get someone in who really knows what he/she is doing to A) Make the
    > possibility of it happening ever again as close to zero as it can be;
    B)
    > Get
    > rid of whatever the weakness was that allowed this to happen."

    ... snip ...

    > > - rebuild the system from scratch
    >
    > Very BAD and WASTEFUL idea.

    I think both solutions have their merit depending on each unique
    situation. If this were a highly critical system, I would undoubtedly
    reinstall from scratch without a network connection. I would then patch
    from a trusted source (i.e. cd) with the client's computer still
    offline. Performing an image of the system would be a good idea at this
    point as it gives you a good reference point to start with in the future
    (should you get exploited again). Only then would you start restoring
    data from backup.

    If this were a SMB you could easily bring in a consultant to clean up
    the mess, restore backups, and patch any holes.

    > > - close the door the attacker had used
    > Well look at XP for example. Let's say you have an XPSP1 installation
    and
    > for whatever reason you like, you decide to format and reinstall XP
    *BUT*
    > the CD you have is PRE SP1. You have formatted and reinstalled. You
    are
    > now
    > open to Nachi and Blaster to name 2. So in closing one hole, you have
    just
    > opened 2 others.

    Not if you do this offline. If you don't know, Microsoft allows you to
    download each individual patch from their catalog instead of having to
    connect to WU. You, of course, need a secondary trusted computer to get
    these patches.

    http://v4.windowsupdate.microsoft.com/catalog/en/default.asp

    You can use MSBSA or HFNetChkLT to scan the machine to find out what
    patches are needed.

    Mike Fetherston

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Greg Tracy: "Re: home wireless router good practices for security"

    Relevant Pages

    • Re: startssl at boot time
      ... > just install the port as is and hope that all the patches are added. ... You don't even need to edit the saved message to extract the patch ... occasionally known as 'diffs'. ... format is not the 'unidiff' format that basically everyone uses: ...
      (freebsd-questions)
    • Re: [PATCH 1/1] Rename camel case variables in channel.c (updated again)
      ... I checked the email I sent on Friday, it was in "Plain Text" format. ... Maybe Outlook server converted this one to MIME format? ... I have attached the patch in Linux text format, ... While we are setting up a new mail server for sending patches, ...
      (Linux-Kernel)
    • Re: rfc: rewrite commit subject line for subsystem maintainer preference tool
      ... it no matter the subject line (I personally am getting a lot of patches ... which don't follow the format I am using in my tree ... ... patch in greater detail - when patches stand out from a 1000ft visual ...
      (Linux-Kernel)
    • RE: [PATCH 1/1] Rename camel case variables in channel.c (updated again)
      ... I checked the email I sent on Friday, it was in "Plain Text" format. ... I have attached the patch in Linux text format, ... While we are setting up a new mail server for sending patches, ...
      (Linux-Kernel)
    • Re: Editing Makefile
      ... talented tim1948 broadcast on comp.unix.bsd.freebsd.misc: ... Reinstall this port AS IS, if you think some previous install enabled ... Make sure I have a back up of the patch somewhere safe. ... something that the necessary FreeBSD patches do. ...
      (comp.unix.bsd.freebsd.misc)