Re: compromised network

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2004-01-03 Greg wrote:
> ----- Original Message -----
> From: "Ansgar -59cobalt- Wiechers" <bugtraq () planetcobalt net>
> Sent: Saturday, January 03, 2004 6:04 AM
>
> > On 2004-01-02 Greg wrote:
> > > Eg, let's say all is quiet and OK and the crap started happening,
> > > at the local timezone of that machine, at 11PM. Let's FURTHER say
> > > that the business has a once a week full backup with hourly
> > > incrementals. What the heck is the matter with going back to that
> > > SAME day at 10PM's incremental and restoring from that
> > > image/incremental?
> >
> > How do you make sure the intruder did not modify anything not
> > covered by those backups (e.g. install some additional backdoors)?
>
> You conveniently edited that bit out. The answer was already there so
> I'll requote it for you:

s/conveniently/mistakenly/

> "Now, after reinstalling from image/incremental, I would, as some have
> said, get someone in who really knows what he/she is doing to A) Make
> the possibility of it happening ever again as close to zero as it can
> be; B) Get rid of whatever the weakness was that allowed this to
> happen."

Ah, I misread that. Of course nothing is wrong with rebuilding a system
from images and restoring backups. The way I read it "rebuilding from
scratch" also includes the option of using images. What you wrote did
sound to me like you were going to just go back to the point before the
compromisation, which would leave you with the problem I mentioned.
Anyway: my bad.

> > The only reasonable thing to do in a situation like this is:
> >
> > - find out how the intruder got in
>
> Yes.
>
> > - rebuild the system from scratch
>
> Very BAD and WASTEFUL idea.

Misunderstanding. By "rebuild from scratch" I meant: erase the drive and
reinstall the system by whatever method you are using (installation CDs,
images, RIS, ...).

> > - close the door the attacker had used
>
> Well look at XP for example. Let's say you have an XPSP1 installation
> and for whatever reason you like, you decide to format and reinstall
> XP *BUT* the CD you have is PRE SP1. You have formatted and
> reinstalled. You are now open to Nachi and Blaster to name 2. So in
> closing one hole, you have just opened 2 others.

Now you have conveniently ignored one of my points ;). Of course you
don't connect the system back to the network (i.e. online) until you
patched and configured it properly.

Note: IIRC I would still be vulnerable to Nachi and Blaster even if I
had installed SP1 (which can be done easily by building an installation
CD with integrated SP).

> > - restore backups where appropriate
>
> They are ALWAYS appropriate.

Restoring backups from timepoints after an intrusion may not always be
appropriate, but restoring files that were checked and found not being
modified by the intruder may be.

> If you are not using Image backups you are wasting a lot of time.

Not necessarily. There are more options than just installation CDs and
images.

> > - then put the system(s) back online

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
----------------------------------------------------------------------------