Security Incidents mailing list archives
Re: backdoor
From: Jonas M Luster <jluster () d-fensive com>
Date: Mon, 24 Jun 2002 12:45:39 -0700
Quoting Don Weber (Don () AirLink com):
a compromised machine, CAN and is usually designed to compromise or be used to compromised other machines. leaving YOUR machine active and on the internet, is allowing your system to attempt to compromise MY system, you call that over-reacting professional, i call it being considerate. A house
To simply destroy all evidence is not considerate. It is a great dis-service to all those machines that have been compromised through the compromised system. Such a machine usually carries enough information to determine the machines that have been attacked from the system and reveals an awful lot about the intruder. That is why I stress the need to prohibit malicious activities on router or switch level as soon as the incident is discovered, that is doing the right things in access-lists and blocks to make sure the system will still function but can not be used against third parties anymore.
being broken into is, broken into, then burglar leaves, and goes elsewhere the next night. unless of course your house gets broken into and the burglar use your house as a staging ground to break into other houses in the area, then, maybe, the analogy might work, in that case, YES, level the house, build a new one, and dont forget to upgrade that alarm system
In my analogy the house is used to snipe the neighbors dogs from the rooftop. To simply level that house means not to determine how he got in in the first place and therefore to risk to have the same hole again. And just like burglars our attackers are persistant. If you simply rebuild the system, they will come again. Since you did not determine how they got in, chances are they will again. And you could not inform your neighbors about that weak lock, either, so they might also use their houses. I hate analogies, I should not have started one in the first place. I apologize. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- backdoor Fabio Miranda (Jun 22)
- Re: backdoor steveg (Jun 23)
- Re: backdoor Ken Fischer (Jun 25)
- Re: backdoor Hugo van der Kooij (Jun 23)
- Re: backdoor Jonas M Luster (Jun 23)
- Re: backdoor Kyle R. Hofmann (Jun 24)
- Message not available
- Re: backdoor Jonas M Luster (Jun 24)
- Re: backdoor Hugo van der Kooij (Jun 26)
- Re: backdoor Greg A. Woods (Jun 26)
- Re: backdoor Jonas M Luster (Jun 23)
- Message not available
- Re: [incidents] Re: backdoor Jonas M Luster (Jun 25)
- RE: [incidents] Re: backdoor Don Weber (Jun 26)
- Re: backdoor steveg (Jun 23)
- Re: backdoor Eric Rostetter (Jun 26)
- <Possible follow-ups>
- RE: backdoor Rob Keown (Jun 23)
- Re: backdoor Christopher L Calvert (Jun 25)
- Re: backdoor Valdis . Kletnieks (Jun 26)
- RE: backdoor Liam Grant (Jun 26)