Security Incidents mailing list archives

Re: backdoor

From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Tue, 25 Jun 2002 07:22:54 +0200 (CEST)

On Mon, 24 Jun 2002, Jonas M Luster wrote:

Quoting Don Weber (Don () AirLink com):

a compromised machine, CAN and is usually designed to compromise or be used
to compromised other machines. leaving YOUR machine active and on the
internet, is allowing your system to attempt to compromise MY system, you
call that over-reacting professional, i call it being considerate. A house


To simply destroy all evidence is not considerate. It is a great
dis-service to all those machines that have been compromised through
the compromised system. Such a machine usually carries enough
information to determine the machines that have been attacked from the
system and reveals an awful lot about the intruder.

That is why I stress the need to prohibit malicious activities on
router or switch level as soon as the incident is discovered, that is
doing the right things in access-lists and blocks to make sure the
system will still function but can not be used against third parties
anymore.


This all assumes you have the luxery of time, money and skills to dig into 
the incident.

Your average customer does not have the luxery of time and is not willing 
to spend the money on the required skills. They want an operational system 
again and without the backdoors, etc.

So while the concept is nice if you are in an academic environment is is 
unfeasable in the real corporate world.

The most they want you to pay for is put in another system as fast as you 
can without the gaps theat were open last time. (They propably will still 
not care to stop ALL possible gaps.)

So hence the S.O.P. that will be used most of the times as it is the most 
cost effective way in the short run.

If you are skilled enough and are allowed time to go beyond that. Then 
there is no need for a S.O.P. as you will have to handle each case 
individually.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

backdoor Fabio Miranda (Jun 22)
- Re: backdoor steveg (Jun 23)
  - Re: backdoor Ken Fischer (Jun 25)
- Re: backdoor Hugo van der Kooij (Jun 23)
  - Re: backdoor Jonas M Luster (Jun 23)
    - Re: backdoor Kyle R. Hofmann (Jun 24)
    - Message not available
    - Re: backdoor Jonas M Luster (Jun 24)
    - Re: backdoor Hugo van der Kooij (Jun 26)
    - Re: backdoor Greg A. Woods (Jun 26)
    - Message not available
    - Re: [incidents] Re: backdoor Jonas M Luster (Jun 25)
    - RE: [incidents] Re: backdoor Don Weber (Jun 26)
  - Re: backdoor Mike Lewinski (Jun 23)
    - Re: backdoor Eric Rostetter (Jun 26)
- <Possible follow-ups>
- RE: backdoor Rob Keown (Jun 23)
- Re: backdoor Christopher L Calvert (Jun 25)
  - Re: backdoor Valdis . Kletnieks (Jun 26)
- RE: backdoor Liam Grant (Jun 26)