Security Basics mailing list archives
Re: compromised network
From: "Greg" <pchandyman () ozemail com au>
Date: Thu, 8 Jan 2004 09:10:02 +1100
----- Original Message ----- From: "Ansgar -59cobalt- Wiechers" <bugtraq () planetcobalt net> To: <security-basics () securityfocus com> Sent: Saturday, January 03, 2004 5:08 PM Subject: Re: compromised network
On 2004-01-03 Greg wrote:----- Original Message ----- From: "Ansgar -59cobalt- Wiechers" <bugtraq () planetcobalt net> Sent: Saturday, January 03, 2004 6:04 AMOn 2004-01-02 Greg wrote:Eg, let's say all is quiet and OK and the crap started happening, at the local timezone of that machine, at 11PM. Let's FURTHER say that the business has a once a week full backup with hourly incrementals. What the heck is the matter with going back to that SAME day at 10PM's incremental and restoring from that image/incremental?How do you make sure the intruder did not modify anything not covered by those backups (e.g. install some additional backdoors)?You conveniently edited that bit out. The answer was already there so I'll requote it for you:s/conveniently/mistakenly/"Now, after reinstalling from image/incremental, I would, as some have said, get someone in who really knows what he/she is doing to A) Make the possibility of it happening ever again as close to zero as it can be; B) Get rid of whatever the weakness was that allowed this to happen."Ah, I misread that. Of course nothing is wrong with rebuilding a system from images and restoring backups. The way I read it "rebuilding from scratch" also includes the option of using images. What you wrote did sound to me like you were going to just go back to the point before the compromisation, which would leave you with the problem I mentioned. Anyway: my bad.
No probs. I read "rebuilding from scratch", just FYI, as "format, install chosen OS, install chosen applications, set up networking requirements" etc ad infinitum as you would for a brand new network for a new company, for example.
The only reasonable thing to do in a situation like this is: - find out how the intruder got inYes.- close the door the attacker had usedWell look at XP for example. Let's say you have an XPSP1 installation and for whatever reason you like, you decide to format and reinstall XP *BUT* the CD you have is PRE SP1. You have formatted and reinstalled. You are now open to Nachi and Blaster to name 2. So in closing one hole, you have just opened 2 others.Now you have conveniently ignored one of my points ;). Of course you don't connect the system back to the network (i.e. online) until you patched and configured it properly.
That wasnt my point, however. My point was merely to point out that rebuilding from format and reinstall (to clarify this point) in the instance I quoted actually opens at least TWO holes. In fact it may come to this one day - that the next Windows OS comes out and someone happily using XP DOES do a format and reinstall and DOESNT think about Nachi and Blaster then WHAM. Not likely right now, admittedly! :)
Note: IIRC I would still be vulnerable to Nachi and Blaster even if I had installed SP1 (which can be done easily by building an installation CD with integrated SP).
Oh true. I was rather vague there, I see. I meant a "properly patched XPSP1 being formatted and XP pre SP1 reinstalled".
- restore backups where appropriateThey are ALWAYS appropriate.Restoring backups from timepoints after an intrusion may not always be appropriate, but restoring files that were checked and found not being modified by the intruder may be.
Yes possible that they may not be appropriate. Too much depends on the company needs at that point. It is one reason why I am a little fussy about real time imaging and prefer an hourly incremental. What's the point of having redundancy click in when you take C drive offline to clear out an intrusion problem if the mirrored drive then takes over, intrusion problem and all? I am still not exactly happy.... too many people who KNOW what they are doing around who CAN catch me by surprise. I live by "I dont know it all" in the hopes I can learn more.
If you are not using Image backups you are wasting a lot of time.Not necessarily. There are more options than just installation CDs and images.
I wasnt referring to installation CDs. I was referring to imaged drives. Eg, I image all my drives (automatically, naturally) on all my computers, to other drives or partitions depending on the computer, here at home. Do we all remember the MS XP Critical Update of March 28, 2001? I applied it and Stop Screened. I couldnt, at that time, figure out a way to fix it and I had no computer on this one I am using now so I just restored the last backup which didnt include that MS update and all was well again. Fortunately for me, it wasnt just MY problem and they did reissue that patch. If my C drive burns out today, I put another in and restore from image backup. say 40 minutes after starting the restore, at most, I am back on the air with some data loss as opposed to no image backups, taking hours to set things back up and with complete data loss. That's my idea of something that makes a positive difference. Greg. --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Re: compromised network Greg (Jan 02)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 02)
- Re: compromised network Greg (Jan 05)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 05)
- Re: compromised network Greg (Jan 08)
- Re: compromised network Greg (Jan 05)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 02)
- Re: compromised network - backups Alvin Oga (Jan 05)
- <Possible follow-ups>
- RE: compromised network Mike (Jan 05)
- Re: compromised network Dana Rawson (Jan 06)
- RE: compromised network Francisco Mário Ferreira Custódio (Jan 07)