RE: compromised network

• Previous message: Dan Bartley: "RE: What to do if Cisco router & switches got hacked ?"
• Next in thread: Francisco Mário Ferreira Custódio: "RE: compromised network"
• Maybe reply: Francisco Mário Ferreira Custódio: "RE: compromised network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 5 Jan 2004 12:00:46 -0500
To: <security-basics@securityfocus.com>

> > > Eg, let's say all is quiet and OK and the crap started happening,
at
> > > the local timezone of that machine, at 11PM. Let's FURTHER say
that
> > > the business has a once a week full backup with hourly
incrementals.
> > > What the heck is the matter with going back to that SAME day at
10PM's
> > > incremental and restoring from that image/incremental?
> >
> > How do you make sure the intruder did not modify anything not
covered by
> > those backups (e.g. install some additional backdoors)?
>
> You conveniently edited that bit out. The answer was already there so
I'll
> requote it for you:
>
>
> "Now, after reinstalling from image/incremental, I would, as some have
> said,
> get someone in who really knows what he/she is doing to A) Make the
> possibility of it happening ever again as close to zero as it can be;
B)
> Get
> rid of whatever the weakness was that allowed this to happen."

... snip ...

> > - rebuild the system from scratch
>
> Very BAD and WASTEFUL idea.

I think both solutions have their merit depending on each unique
situation. If this were a highly critical system, I would undoubtedly
reinstall from scratch without a network connection. I would then patch
from a trusted source (i.e. cd) with the client's computer still
offline. Performing an image of the system would be a good idea at this
point as it gives you a good reference point to start with in the future
(should you get exploited again). Only then would you start restoring
data from backup.

If this were a SMB you could easily bring in a consultant to clean up
the mess, restore backups, and patch any holes.

> > - close the door the attacker had used
> Well look at XP for example. Let's say you have an XPSP1 installation
and
> for whatever reason you like, you decide to format and reinstall XP
*BUT*
> the CD you have is PRE SP1. You have formatted and reinstalled. You
are
> now
> open to Nachi and Blaster to name 2. So in closing one hole, you have
just
> opened 2 others.

Not if you do this offline. If you don't know, Microsoft allows you to
download each individual patch from their catalog instead of having to
connect to WU. You, of course, need a secondary trusted computer to get
these patches.

http://v4.windowsupdate.microsoft.com/catalog/en/default.asp

You can use MSBSA or HFNetChkLT to scan the machine to find out what
patches are needed.

Mike Fetherston

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Dan Bartley: "RE: What to do if Cisco router & switches got hacked ?"
• Next in thread: Francisco Mário Ferreira Custódio: "RE: compromised network"
• Maybe reply: Francisco Mário Ferreira Custódio: "RE: compromised network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]