Re: We've been compromised, now what...

From: HC (keydet89@yahoo.com)
Date: 05/30/02


From: HC <keydet89@yahoo.com>
Date: Wed, 29 May 2002 22:51:58 -0400


> While Steve Gibson's probe test (or anything from him, really) is a
> complete waste of time, port scanning the system from the outside is
> in fact very useful.
>
> It is wise to know what external intruders can find out about your
> systems over the internet. You can of cause check your servers and
> routers, and make a qualified guess at what an external intruder will
> see, but it is useful to actually _know_. Also, the port scanning
> should trigger alerts, or at least be logged, so performing this
> yourself makes sure this works.

While this is true for performing a vulnerability analysis of a system,
it's a complete waste of time for an already-compromised system. Port
scanning leads to too much ambiguity...this can be easily seen over on
the Incidents list at SF. A much better use of time and resources is to
perform a process-to-port mapping, in order to determine which
application is using which port. This way, there is no ambiguity,
guessing, or speculation. This is extremely important when you consider
the fact that most trojans are configurable as to which port they use.