Security Incidents mailing list archives
Re: Ramen
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Wed, 24 Jan 2001 11:35:56 +1300
On Mon, 22 Jan 2001 16:43:09 -0800 Dave Dittrich <dittrich () CAC WASHINGTON EDU> wrote:
Matt, generally (well, actually 99.999% of the time), the rule is to totally reformat whenever there has been a root level compromise. Go to your old backups, restore from there. Have a stiff drink, for that box is history.My rule #0 is get an image copy before doing your rule #1. Yes, trying to "clean up" is nearly futile, but properly handling the incident is important.
I agree that this is desirable, however it is non trivial on most modern systems which don't have handy tapedrives etc. Do you have any suggestions for making this process more straight forward? I have been thinking of keeping a block of disk free on one of my machines (which has a CD writer) and aranging to copy the image over the net. I am well aware that this isn't at all ideal - real disk images are to be preferred, but apart from the difficulty of duplicating disks there is the problem of the shear size of the things these days. Cheers, Russell. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand