Re: How to obtain a complete list of CR2 compromised hosts

[Joe Shaw <jshaw () insync net>]

On Sun, 5 Aug 2001 aleph1 () securityfocus com wrote:

> Abstract
>
>    infected attacking IIS web servers to learn of new infected hosts. The
>    strong recommendation from this report is that as part of any CodeRed
>    II recovery effort, the system web logs should immediately be
>    destroyed, and Intrusion Detection Systems should checking for and
>    tracing recursive attempts to access web logs though the backdoor.

<soapbox>
It is reckless and dangerous to suggest that the first step of recovery
from any type of security compromise is to delete relevant information,
especially system or application logs without first examining them.
Furthermore, in a forensic investigation, which is not necessarily
applicable to this specific type of compromise, altering original copy
binary data in any way would immediately disqualify any information gained
from that data from being admissible in a court of law.  This point is
especially important for those who are ignorant in the methods of system
forensics.
</soapbox>

In the event that the backdoor from this version of CodeRed has been
located on a server by the admin/IT/Infosec/whomever staff, which I think
it's safe to assume would have happened if recovery effort is taking
place, wouldn't it be better to take the http server down, go through
the logs and start notifying the attacking servers' owners and/or their
providers that they've been compromised?  Furthermore, since you talk of
using the logs of compromised hosts to locate other compromised hosts,
wouldn't it be beneficial for the server owner to examine his/her own logs
looking for people who are doing this type of data mining?  Granted, you
may catch some well meaning grey hats in the process, whom I personally
think shouldn't be hassled for trying to help, but you'll probably find a
few black hats as well.

--
Joseph W. Shaw II
Network Security Specialist/CCNA
Unemployed.  Will hack for food.  God Bless.
Apparently I'm overqualified but undereducated to be employed.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com