Security Basics mailing list archives
Re: compromised network
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Sat, 3 Jan 2004 07:08:31 +0100
On 2004-01-03 Greg wrote:
----- Original Message ----- From: "Ansgar -59cobalt- Wiechers" <bugtraq () planetcobalt net> Sent: Saturday, January 03, 2004 6:04 AMOn 2004-01-02 Greg wrote:Eg, let's say all is quiet and OK and the crap started happening, at the local timezone of that machine, at 11PM. Let's FURTHER say that the business has a once a week full backup with hourly incrementals. What the heck is the matter with going back to that SAME day at 10PM's incremental and restoring from that image/incremental?How do you make sure the intruder did not modify anything not covered by those backups (e.g. install some additional backdoors)?You conveniently edited that bit out. The answer was already there so I'll requote it for you:
s/conveniently/mistakenly/
"Now, after reinstalling from image/incremental, I would, as some have said, get someone in who really knows what he/she is doing to A) Make the possibility of it happening ever again as close to zero as it can be; B) Get rid of whatever the weakness was that allowed this to happen."
Ah, I misread that. Of course nothing is wrong with rebuilding a system from images and restoring backups. The way I read it "rebuilding from scratch" also includes the option of using images. What you wrote did sound to me like you were going to just go back to the point before the compromisation, which would leave you with the problem I mentioned. Anyway: my bad.
The only reasonable thing to do in a situation like this is: - find out how the intruder got inYes.- rebuild the system from scratchVery BAD and WASTEFUL idea.
Misunderstanding. By "rebuild from scratch" I meant: erase the drive and reinstall the system by whatever method you are using (installation CDs, images, RIS, ...).
- close the door the attacker had usedWell look at XP for example. Let's say you have an XPSP1 installation and for whatever reason you like, you decide to format and reinstall XP *BUT* the CD you have is PRE SP1. You have formatted and reinstalled. You are now open to Nachi and Blaster to name 2. So in closing one hole, you have just opened 2 others.
Now you have conveniently ignored one of my points ;). Of course you don't connect the system back to the network (i.e. online) until you patched and configured it properly. Note: IIRC I would still be vulnerable to Nachi and Blaster even if I had installed SP1 (which can be done easily by building an installation CD with integrated SP).
- restore backups where appropriateThey are ALWAYS appropriate.
Restoring backups from timepoints after an intrusion may not always be appropriate, but restoring files that were checked and found not being modified by the intruder may be.
If you are not using Image backups you are wasting a lot of time.
Not necessarily. There are more options than just installation CDs and images.
- then put the system(s) back online
Regards Ansgar Wiechers --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: compromised network Greg (Jan 02)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 02)
- Re: compromised network Greg (Jan 05)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 05)
- Re: compromised network Greg (Jan 08)
- Re: compromised network Greg (Jan 05)
- Re: compromised network Ansgar -59cobalt- Wiechers (Jan 02)
- Re: compromised network - backups Alvin Oga (Jan 05)
- <Possible follow-ups>
- RE: compromised network Mike (Jan 05)
- Re: compromised network Dana Rawson (Jan 06)
- RE: compromised network Francisco Mário Ferreira Custódio (Jan 07)