Security Basics mailing list archives
Re: compromised network
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Fri, 2 Jan 2004 20:04:38 +0100
On 2004-01-02 Greg wrote:
Eg, let's say all is quiet and OK and the crap started happening, at the local timezone of that machine, at 11PM. Let's FURTHER say that the business has a once a week full backup with hourly incrementals. What the heck is the matter with going back to that SAME day at 10PM's incremental and restoring from that image/incremental?
How do you make sure the intruder did not modify anything not covered by those backups (e.g. install some additional backdoors)? The only reasonable thing to do in a situation like this is: - find out how the intruder got in - rebuild the system from scratch - close the door the attacker had used - restore backups where appropriate - then put the system(s) back online
Reformat and install from scratch? That is more or less, to me personally, like "My car is out of fuel! I better buy a new car!".
Wrong. Regards Ansgar Wiechers --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: compromised network Greg (Jan 02)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 02)
- Re: compromised network Greg (Jan 05)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 05)
- Re: compromised network Greg (Jan 08)
- Re: compromised network Greg (Jan 05)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 02)
- Re: compromised network - backups Alvin Oga (Jan 05)
- <Possible follow-ups>
- RE: compromised network Mike (Jan 05)
- Re: compromised network Dana Rawson (Jan 06)
- RE: compromised network Francisco Mário Ferreira Custódio (Jan 07)