Security Basics mailing list archives
RE: New scanner?
From: "newsletters" <listserv () citadelconsulting net>
Date: Mon, 25 Nov 2002 11:41:52 -0500
HC, In addition to my assumptions, I told Jeremy to check the following to verify an instance of CODERED compromise: "You need to search the system for root.exe and delete it. In addition you need to check and reset the permissions for C:\inetpub\*. At a minimum change the scripts directory to read only. Do a search on bugtraq for codered II. That should give you a more detailed action plan." As you can see, this wasn't a knee-jerk reaction. I told Jeremy to check into some things and perform due diligence before a rebuild. If my assumptions are correct, and the system has been compromised, it would be much safer to disconnect the system and rebuild it than to clean it and risk a hidden backdoor. I understand this might not be feasible if the system is a critical resource. That's why I gave him so alternatives such as removing compromised files and checking/resetting permissions. CB -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: Monday, November 25, 2002 9:19 AM To: security-basics () securityfocus com Subject: RE: New scanner? A couple of things... First off, it's good that snort is running to catch these things. To CB... "My opinion would be to rebuild the box with all current patches and service packs." Why? Just b/c snort picked up the signatures, doesn't mean that the box was actually compromised...does it? After all, the snort signatures are specific enough to pick up the inbound signatures, but nothing from Jeremy shows what the response codes from IIS are...do they? Jeremy didn't mention anything about the server's responses, nor did he post the web logs. In fact, Jeremy never actually said which web server (if any) he's running! The assumption is that Jeremy is running IIS...and this may actually be the case. However, Jeremy's post has only the snort signature titles, and nothing else. What this shows is that there is still a propensity to make assumptions, not only regarding posts such as Jeremy's, but in incident response investigations, as well. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
Current thread:
- RE: New scanner? H C (Nov 25)
- RE: New scanner? newsletters (Nov 25)
- RE: New scanner? H C (Nov 25)
- RE: New scanner? m0use (Nov 26)
- RE: New scanner? H C (Nov 25)
- RE: New scanner? newsletters (Nov 25)
- RE: New scanner? newsletters (Nov 25)
- RE: New scanner? newsletters (Nov 25)