Re: compromised network

From: Greg (
Date: 01/07/04

  • Next message: Thomas Kerbl: "Re: Wierd non-http port 80 daemon?"
    To: "Ansgar -59cobalt- Wiechers" <>, <>
    Date: Thu, 8 Jan 2004 09:10:02 +1100

    ----- Original Message -----
    From: "Ansgar -59cobalt- Wiechers" <>
    To: <>
    Sent: Saturday, January 03, 2004 5:08 PM
    Subject: Re: compromised network

    > On 2004-01-03 Greg wrote:
    > >
    > > ----- Original Message -----
    > > From: "Ansgar -59cobalt- Wiechers" <>
    > > Sent: Saturday, January 03, 2004 6:04 AM
    > >
    > > > On 2004-01-02 Greg wrote:
    > > > > Eg, let's say all is quiet and OK and the crap started happening,
    > > > > at the local timezone of that machine, at 11PM. Let's FURTHER say
    > > > > that the business has a once a week full backup with hourly
    > > > > incrementals. What the heck is the matter with going back to that
    > > > > SAME day at 10PM's incremental and restoring from that
    > > > > image/incremental?
    > > >
    > > > How do you make sure the intruder did not modify anything not
    > > > covered by those backups (e.g. install some additional backdoors)?
    > >
    > > You conveniently edited that bit out. The answer was already there so
    > > I'll requote it for you:
    > s/conveniently/mistakenly/
    > > "Now, after reinstalling from image/incremental, I would, as some have
    > > said, get someone in who really knows what he/she is doing to A) Make
    > > the possibility of it happening ever again as close to zero as it can
    > > be; B) Get rid of whatever the weakness was that allowed this to
    > > happen."
    > Ah, I misread that. Of course nothing is wrong with rebuilding a system
    > from images and restoring backups. The way I read it "rebuilding from
    > scratch" also includes the option of using images. What you wrote did
    > sound to me like you were going to just go back to the point before the
    > compromisation, which would leave you with the problem I mentioned.
    > Anyway: my bad.

    No probs. I read "rebuilding from scratch", just FYI, as "format, install
    chosen OS, install chosen applications, set up networking requirements" etc
    ad infinitum as you would for a brand new network for a new company, for

    > > > The only reasonable thing to do in a situation like this is:
    > > >
    > > > - find out how the intruder got in
    > >
    > > Yes.
    > > > > > - close the door the attacker had used
    > >
    > > Well look at XP for example. Let's say you have an XPSP1 installation
    > > and for whatever reason you like, you decide to format and reinstall
    > > XP *BUT* the CD you have is PRE SP1. You have formatted and
    > > reinstalled. You are now open to Nachi and Blaster to name 2. So in
    > > closing one hole, you have just opened 2 others.
    > Now you have conveniently ignored one of my points ;). Of course you
    > don't connect the system back to the network (i.e. online) until you
    > patched and configured it properly.

    That wasnt my point, however. My point was merely to point out that
    rebuilding from format and reinstall (to clarify this point) in the instance
    I quoted actually opens at least TWO holes. In fact it may come to this one
    day - that the next Windows OS comes out and someone happily using XP DOES
    do a format and reinstall and DOESNT think about Nachi and Blaster then
    WHAM. Not likely right now, admittedly! :)

    > Note: IIRC I would still be vulnerable to Nachi and Blaster even if I
    > had installed SP1 (which can be done easily by building an installation
    > CD with integrated SP).

    Oh true. I was rather vague there, I see. I meant a "properly patched XPSP1
    being formatted and XP pre SP1 reinstalled".

    > > > - restore backups where appropriate
    > >
    > > They are ALWAYS appropriate.
    > Restoring backups from timepoints after an intrusion may not always be
    > appropriate, but restoring files that were checked and found not being
    > modified by the intruder may be.

    Yes possible that they may not be appropriate. Too much depends on the
    company needs at that point. It is one reason why I am a little fussy about
    real time imaging and prefer an hourly incremental. What's the point of
    having redundancy click in when you take C drive offline to clear out an
    intrusion problem if the mirrored drive then takes over, intrusion problem
    and all? I am still not exactly happy.... too many people who KNOW what they
    are doing around who CAN catch me by surprise. I live by "I dont know it
    all" in the hopes I can learn more.

    > > If you are not using Image backups you are wasting a lot of time.
    > Not necessarily. There are more options than just installation CDs and
    > images.

    I wasnt referring to installation CDs. I was referring to imaged drives. Eg,
    I image all my drives (automatically, naturally) on all my computers, to
    other drives or partitions depending on the computer, here at home. Do we
    all remember the MS XP Critical Update of March 28, 2001? I applied it and
    Stop Screened. I couldnt, at that time, figure out a way to fix it and I had
    no computer on this one I am using now so I just restored the last backup
    which didnt include that MS update and all was well again. Fortunately for
    me, it wasnt just MY problem and they did reissue that patch. If my C drive
    burns out today, I put another in and restore from image backup. say 40
    minutes after starting the restore, at most, I am back on the air with some
    data loss as opposed to no image backups, taking hours to set things back up
    and with complete data loss. That's my idea of something that makes a
    positive difference.


    Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
    course! All of our class sizes are guaranteed to be 10 students or less.
    We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
    and many other technical hands on courses.
    Visit us at to get $720 off
    any course!

  • Next message: Thomas Kerbl: "Re: Wierd non-http port 80 daemon?"