nanog mailing list archives
RE: Security Guideance
From: "Joe" <jbfixurpc () gmail com>
Date: Tue, 23 Feb 2010 17:47:00 -0500
Just figured I might add a little direction to this. 1. If its a production system that impacts several users/customers your best bet would be to rebuild the system from scratch, not an image. Yes takes time, but investigating it will likely take longer. As you previously mentioned the folk(s) that were in-charge of the system are no longer in that capacity which could (depending on the "craftiness" of them) could have left an intentional (or not) exploit now plaguing you. 2. If your intent on finding a root cause you will probably need to spend quite a bit of time and caution investigating the said system. As soon as theres mention of a "rootkit" everything is suspect, i.e. ls might not be ls, df may not be df. Might be worth adding the volume to a known good system mounting it and comparing the image/structure and said files. But of course as I mentioned above, if its a critical system then your kind of stuck with an aggressive time line so... Obviously an IDP will mask the issue, but won't fix it. Good luck -Joe Blanchard
Current thread:
- Re: Security Guideance, (continued)
- Re: Security Guideance Ronald Cotoni (Feb 23)
- RE: Security Guideance Matt Sprague (Feb 23)
- Message not available
- Re: RE: Security Guideance Paul Bosworth (Feb 23)
- Re: Security Guideance Michael Holstein (Feb 23)
- Re: Security Guideance Chris Adams (Feb 23)
- RE: Security Guideance Adam Stasiniewicz (Feb 23)
- Re: Security Guideance Aaron L. Meehan (Feb 24)
- RE: Security Guideance Matt Sprague (Feb 23)
- Re: Security Guideance Ronald Cotoni (Feb 23)
- Re: Security Guideance Dan White (Feb 23)
- Re: Security Guideance acv (Feb 23)
- Re: Security Guideance Nathan Ward (Feb 23)
- RE: Security Guideance Joe (Feb 23)
- Re: Security Guideance Curtis Maurand (Feb 24)
- Re: Security Guideance Valdis . Kletnieks (Feb 23)
- Re: Security Guideance Joel Esler (Feb 23)