Full Disclosure mailing list archives
Re: I Got Hacked. Now What Do I Do?
From: "Dave Howe" <DaveHowe () cmn sharp-uk co uk>
Date: Wed, 19 May 2004 14:15:02 +0100
Troels Bay wrote:
Now one can't trust somewhat 50% of all Microsoft Computers.
you trusted that many before? :) Honestly though, it isn't a total writeoff. Your data may well have been compromised - so you need to run a validation exercise after copying to a clean system but before even starting a webserver (or anything that could execute binaries in your dataset) - *Validate and sanity check database-data - particularly any user/access lists, and change passwords on any admin accounts. *Validate and sanity check static html pages * Recompile or upload from trusted sources any binaries - they can't be trusted - and validate / sanity check any scripts * Ideally, if you have a DEV system that wasn't compromised (many organizations do) upload known-clean copies - just be sure you didn't backport any scripts or html pages from the "live" server, nonsensical though that might sound. I am not going to say getting back to a 100% trustworthy system is going to be possible in a short term, but you should be able to have 99% confidence in your datasets and site pages within a week. Isn't going to be cheap (in man hours, but that translates to money in various ways) either. For the future, consider a bit of diversity and a decent (DMZing) firewall; if your boxes don't *have* exposed ports other than 80, they can only be compromised by an attack on that port, not (say) 445. Diversity doesn't mean dumping Windows if you are wed to the platform (ie, have an existing large investment in it) - but consider Apache and PHP rather than IIS and VBScript; they run just fine on windows, will scale with the company (so you can upgrade to non-windows hardware in the future if you need to) and are more common than IIS anyhow. A decent firewall doesn't have to be expensive - for entry level, you can use a legacy PC with three network cards (inside, outside, DMZ) and a floppy (no hard) drive, then boot the fw with a LEAF linux such as Bering - from write protected floppy disks (and get VPN support and a DNS server thrown in for free :) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- I Got Hacked. Now What Do I Do? A.H. (May 19)
- Re: I Got Hacked. Now What Do I Do? Troels Bay (May 19)
- Re: I Got Hacked. Now What Do I Do? Paul Fraser (May 19)
- Re: I Got Hacked. Now What Do I Do? Dave Howe (May 19)
- Re: I Got Hacked. Now What Do I Do? Troels Bay (May 19)
- Re: I Got Hacked. Now What Do I Do? Harlan Carvey (May 19)
- <Possible follow-ups>
- Re: I Got Hacked. Now What Do I Do? A.H. (May 19)
- Re: I Got Hacked. Now What Do I Do? Troels Bay (May 19)