Security Basics mailing list archives
Re: compromised network
From: "Greg" <pchandyman () ozemail com au>
Date: Sat, 3 Jan 2004 10:40:46 +1100
----- Original Message ----- From: "Ansgar -59cobalt- Wiechers" <bugtraq () planetcobalt net> To: <security-basics () securityfocus com> Sent: Saturday, January 03, 2004 6:04 AM Subject: Re: compromised network
On 2004-01-02 Greg wrote:Eg, let's say all is quiet and OK and the crap started happening, at the local timezone of that machine, at 11PM. Let's FURTHER say that the business has a once a week full backup with hourly incrementals. What the heck is the matter with going back to that SAME day at 10PM's incremental and restoring from that image/incremental?How do you make sure the intruder did not modify anything not covered by those backups (e.g. install some additional backdoors)?
You conveniently edited that bit out. The answer was already there so I'll requote it for you: "Now, after reinstalling from image/incremental, I would, as some have said, get someone in who really knows what he/she is doing to A) Make the possibility of it happening ever again as close to zero as it can be; B) Get rid of whatever the weakness was that allowed this to happen."
The only reasonable thing to do in a situation like this is: - find out how the intruder got in
Yes.
- rebuild the system from scratch
Very BAD and WASTEFUL idea.
- close the door the attacker had used
Well look at XP for example. Let's say you have an XPSP1 installation and for whatever reason you like, you decide to format and reinstall XP *BUT* the CD you have is PRE SP1. You have formatted and reinstalled. You are now open to Nachi and Blaster to name 2. So in closing one hole, you have just opened 2 others.
- restore backups where appropriate
They are ALWAYS appropriate. If you are not using Image backups you are wasting a lot of time.
- then put the system(s) back onlineReformat and install from scratch? That is more or less, to me personally, like "My car is out of fuel! I better buy a new car!".Wrong.
Nope. In fact your idea is time wasteful, money wasteful and opens new holes that were patched before. You are wrong without a doubt! My way, you have restored to before the event occurred and you have called someone in who KNOWS what they are doing to find and patch the hole. Less time and money wasted. Greg. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: compromised network Greg (Jan 02)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 02)
- Re: compromised network Greg (Jan 05)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 05)
- Re: compromised network Greg (Jan 08)
- Re: compromised network Greg (Jan 05)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 02)
- Re: compromised network - backups Alvin Oga (Jan 05)
- <Possible follow-ups>
- RE: compromised network Mike (Jan 05)
- Re: compromised network Dana Rawson (Jan 06)
- RE: compromised network Francisco Mário Ferreira Custódio (Jan 07)