Re: We've been compromised, now what...

From: HC (
Date: 05/30/02

From: HC <>
Date: Wed, 29 May 2002 22:57:25 -0400

> There's been some good advice here, and there's a wealth of info from
> SANS, Cert, and all the usual suspects, but the bottom line is that
> you can't really know what's been done until you rebuild from scratch.

This is complete bs. If you simply rebuild from scratch, what have you
discovered? You could very well be putting the same holes right back
into the system that you had to begin with. The system must be
investigated to the extent possible (based on time, knowledge of the
admin, available logs, etc) and the means of access/compromised
determined. Otherwise, you're putting a fresh system back on the net,
just to be hacked.

> At the very least, monitor your firewall logs and use account auditing
> to track everything going on. Lock down accounts and access at the
> firewall until the users scream, then look at each complaint to see if
> granting the access requested makes sense.

Wow. Talk about a bad idea. Admins have been fired for this. I'm not
saying to leave everything open, but a few minutes of rational thought
will show that this doesn't make sense. If a user doesn't require
dial-in access, don't give it to them. It's that easy. Don't cut off
dial-in access for everyone and wait to hear who could
very well be a salesman in a bind, just as he's about to close a major deal.

> It's not hard to harden an NT/W2K system, it just doesn't come that
> way. Having all the patches in place leaves a lot of holes open for
> you to hunt down and close.

Not really. Most, if not all, of the "holes" left untouched by patching
the system are pretty well you said, check SANS, and the
NSA guides, as well.