Re: We've been compromised, now what...
From: Jeff Cochran (jcochran@info.der-keiler.de)Date: 05/30/02
- Next message: Michael Rosenblum: "Changing local admin password in bulk"
- Previous message: Jeff Cochran: "Re: We've been compromised, now what..."
- In reply to: HC: "Re: We've been compromised, now what..."
- Next in thread: : "Re: We've been compromised, now what..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: jcochran at naplesgov dot com (Jeff Cochran) Date: Thu, 30 May 2002 14:24:04 GMT
>> There's been some good advice here, and there's a wealth of info from
>> SANS, Cert, and all the usual suspects, but the bottom line is that
>> you can't really know what's been done until you rebuild from scratch.
>This is complete bs. If you simply rebuild from scratch, what have you
>discovered? You could very well be putting the same holes right back
>into the system that you had to begin with.
Uhhh... Not what I was speaking to. The issue is you can't know what
has been done to your compromised system by another party, where
trojans, altered DLL's etc. could be in place and you'd have no way of
knowing since you didn't track any of this stuff before hand.
>The system must be
>investigated to the extent possible (based on time, knowledge of the
>admin, available logs, etc) and the means of access/compromised
>determined. Otherwise, you're putting a fresh system back on the net,
>just to be hacked.
Not exactly true. If I look at a system and find it was compromised
through a guess at a weak password, then force strong passwords but
don't close NetBIOS ports, I've solved the initial problem but haven't
created a solution to my security issues.
>> At the very least, monitor your firewall logs and use account auditing
>> to track everything going on. Lock down accounts and access at the
>> firewall until the users scream, then look at each complaint to see if
>> granting the access requested makes sense.
>Wow. Talk about a bad idea. Admins have been fired for this. I'm not
>saying to leave everything open, but a few minutes of rational thought
>will show that this doesn't make sense. If a user doesn't require
>dial-in access, don't give it to them. It's that easy. Don't cut off
>dial-in access for everyone and wait to hear who screams...you could
>very well be a salesman in a bind, just as he's about to close a major deal.
Hey, I didn't open all the ports in the first place, don't yell at me.
:) I also advocate a complete rebuild, not securing an already
compromised server.
Jeff
- Next message: Michael Rosenblum: "Changing local admin password in bulk"
- Previous message: Jeff Cochran: "Re: We've been compromised, now what..."
- In reply to: HC: "Re: We've been compromised, now what..."
- Next in thread: : "Re: We've been compromised, now what..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
