Security Basics mailing list archives
Re: compromised network - backups
From: Alvin Oga <alvin.sec () Virtual Linux-Consulting com>
Date: Sat, 3 Jan 2004 11:34:11 -0800 (PST)
hi ya greg
The only way to be 100% is to completely start from scratch again.You know, I have read this reply from many people, over and over again and without going to the trouble of finding the original message again, all I can say is - whatever happened to the idea of image backups with incrementals? Eg, let's say all is quiet and OK and the crap started happening, at the local timezone of that machine, at 11PM. Let's FURTHER say that the business has a once a week full backup with hourly incrementals. What the heck is the matter with going back to that SAME day at 10PM's incremental and restoring
usually the stories goes like: - the last time we did backups was a month ago or 3 months ago .. - the "cracker" was noticed yesterday ( so they dont have backups ) usually, by the time they notice a cracker, its not uncommon to dig around and find that the cracker been a sleeper in their system for 2-3 months randomly picking up passwds, emails, using dumb services ( mail, ftp, telnet, wget, etc) which ishow they started to show up more frequently if backups was not done properly, most people are afraid to have their disk erased ... so we have to step around their data to see if we can find the crackers back doors and other secret files they installed - worst case is the crackers that make their own fs inside the unused disk space of used inodes ( if you have a file of 10 bytes, the remaining 500 bytes is used ( by the cracker for their own hidden trojans and back doors )
Now, after reinstalling from image/incremental, I would, as some have said, get someone in who really knows what he/she is doing to A) Make the possibility of it happening ever again as close to zero as it can be; B) Get rid of whatever the weakness was that allowed this to happen.
usually that is simple process... - disallow ftp ----- use sftp instead - disallow telnet --- use ssh instead - disallow dhcp ..... use static ip# ... and proper masks - disallow pop3/imap. use seure pop3, secure imap - disallow wireless .. put that outside the firewall - disallow world wide logins from anywhere in the world - disallow same login name for email, ssh, vpn, pop3, ... - disallow common passwds ... evn if they have to write it on paper under their keyboard - if the cracker is in the bldg, which they suually are anyway - disallow insecure laptops ... those that go traveling to other corps and hotels and internet cafe - disallow insecure home networks from connecting to corporate data - how many people really do work at home ... that is worth risking the loss of sensivitive corp data at work and/or shutting the entire company down for 2-3 days at a time after a security breach ... know several company that it has happened - they do NOT allow home network or laptops anymore ... - worry about 80% of attacks coming for your sysadmin and unauthorized users trying to sneak around security policy - and on and on ... hundreds more rules that are even MORE restrictive in order to keep the company running ...
Reformat and install from scratch? That is more or less, to me personally, like "My car is out of fuel! I better buy a new car!".
yes.... check the gas ............ --> turning a blind eye is a NOT good get insurance policy ..... --> backups and security policy i got a flat tire ........ --> keep hot swap spare machines add all the bells-n-whistes--> add all the security patches if you're in an accident ----> you're been compromized - find out what happened by police, professional mechanics, etc .. good analagy ... think i'll use it in my "you(client) should do this and that speech" too have fun alvin --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: compromised network Greg (Jan 02)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 02)
- Re: compromised network Greg (Jan 05)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 05)
- Re: compromised network Greg (Jan 08)
- Re: compromised network Greg (Jan 05)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 02)
- Re: compromised network - backups Alvin Oga (Jan 05)
- <Possible follow-ups>
- RE: compromised network Mike (Jan 05)
- Re: compromised network Dana Rawson (Jan 06)
- RE: compromised network Francisco Mário Ferreira Custódio (Jan 07)