Security Incidents mailing list archives
Re: [incidents] Re: backdoor
From: Jonas M Luster <jluster () d-fensive com>
Date: Sun, 23 Jun 2002 22:40:46 -0700
Quoting Daniel Wittenberg (daniel-wittenberg () uiowa edu):
I don't think you're exactly comparing the same things. How about someone broke into my house, planted bugs all over my hours, possibly set traps doors in the floor, and wired it to catch on fire when you leave. The biggest problem I see with a compromise, is that you don't
To stay with your example is to come home, find the house bugged and boobie-trapped, and based on that fact leveling it, just to build a similar house (in less time than it'd take to clean it, agreed). The neighbor's cat, which got snipered with gun from the upper windows of your house is not brought back, right? But without at least dusting for shoeprints, you'll never know HOW the bad guy got in. You'll build the same house again, the bad guy got lucky once in this neighborhood they might come back. So, when you simply level and reerrect the house, you might make yourself an accessory to the neighbors dog being snipered, too. I've seen quite a number of intrusions in my life. Most of the systems were reinstalled between four and six hours after detection - that is after someone with sufficient clue took he 'live' snapshot, did the on-analysis and removed the media to do the deeper forensic work. A new harddisk in, reinstall, good. And by that time, one knows HOW the bad guy got in and what he did. The 'security through reinstallation' myth seems to have coined by all those Certified Internet Snakeoil Sales People (CISSPs) and their likes to conceal the fact that all their fancy certs don't help them much when it comes to true forensic work. See, I believe that a networked system brings with itself responsibilities. Just like buying a car or a gun. It's a liability, one should only accept if s/he knows how to resolve these problems in a matter that keeps neighbors and other participants in the 'community', knows someone who's competent to do it, or can pay for someone to do it.
know what they did. Also, with a lot of people it's a matter of time. If it takes me 3 days to follow your instructions below, vs. 1-2 hours to rebuild the system from scratch, unless I have a lot of time to
An initial 'live' assessment takes 3-4 hours, reinstalling a system from the latest backup between 1 and 3 hours, and applying the patches to prevent the intrusion from happening again, based on the knowledge gathered during the initial 3-4 hours, takes another 2 hours. So, I guess, it's fair to say that it _will_ indeed take longer to do proper forensics, but not 2 hours compared to 3 days but more like three hours compared to six.
systems compromised like this, but I've cleaned up plenty that have, and it's usually not worth the time and effort to figure out what all the little kiddies were doing. I don't think there is any right answer to
And if it's just to find out if they did it to other systems from yours, it's always worth the effort - at least in my book. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- backdoor Fabio Miranda (Jun 22)
- Re: backdoor steveg (Jun 23)
- Re: backdoor Ken Fischer (Jun 25)
- Re: backdoor Hugo van der Kooij (Jun 23)
- Re: backdoor Jonas M Luster (Jun 23)
- Re: backdoor Kyle R. Hofmann (Jun 24)
- Message not available
- Re: backdoor Jonas M Luster (Jun 24)
- Re: backdoor Hugo van der Kooij (Jun 26)
- Re: backdoor Greg A. Woods (Jun 26)
- Re: backdoor Jonas M Luster (Jun 23)
- Message not available
- Re: [incidents] Re: backdoor Jonas M Luster (Jun 25)
- RE: [incidents] Re: backdoor Don Weber (Jun 26)
- Re: backdoor steveg (Jun 23)
- Re: backdoor Eric Rostetter (Jun 26)
- <Possible follow-ups>
- RE: backdoor Rob Keown (Jun 23)
- Re: backdoor Christopher L Calvert (Jun 25)
- Re: backdoor Valdis . Kletnieks (Jun 26)
- RE: backdoor Liam Grant (Jun 26)