Security Basics mailing list archives
Re: possible rooted systems
From: Mailing Lists <itmaillist () gmail com>
Date: Mon, 1 Nov 2004 09:35:47 -0500
Hello, My comment wasn't meant to be the only step in correcting the problem, I was adding to the comment above mine (and other suggestions to come about closing holes). Once the problems are discovered and holes are found and closed, re-imaging would still be necessary since more likely than not the problem has allot to do with malware, and even when holes are closed in the network the computer would likely still find away to be a nuisance and a security risk on the network. . Read only Master copies is surely necessary but not always convenient when fixing multiple machines. Using MD5 Check sums on the images would allow you to use it the USB drive the way I suggested and provide the security needed to ensure the images were not modified. Either way, close up the hole in the network. Begin cleaning up PC's however you need. As a previous poster mentioned considered upgrading the 98 machines, and wherever possible implement host hardening. On Fri, 29 Oct 2004 15:06:48 -0700 (PDT), Alvin Oga <alvin.sec () virtual linux-consulting com> wrote:
hi yaNot to be a stickler for details and hopefully you are already planning this, but the infected machines should be re-imaged, not fixed. Other wise you leave yourself open to missing backdoors andre=imaging will NOT solve the problem, since the attacker cna come back in using the same exploit that they already know worked on your box - you have to fix the hole that they used to get in =================================================== next time they are very likely to do an "rm -rf /" and hopefully you don't use automount in an unsafe way a better approach ... -- == backup all your data (not system) to a new disk on a new machine -- leave your old backups intact forever .. -- - find out how they got in - find out when they got in - find out who they are - find out what machines they came from and get the other hack'd machine owner and isp's help to "get the attacker" - find out what commands they typed - find out what other machines they tried to attack/connect to - find out what files they modified - contact the local police dept and FBI ( if over $15K? in damages ) - hire somebody to do all that for youAn easy solution that I use is to have a USB Drive arround that has all the images I need on it. When a machnie hiccups, I can back it up to the USB Drive using a ghost boot disk with dos USB drivers, and than plant a new image over the top.the "master image" should be cdrom or non-writeable device since you are pluygging your "master image" into a hacked box and by your own definition, you dont know that your usb disk is safe after that ( unknown back door, unknown virus, etc.. etc.. ) c ya alvin
Current thread:
- Re: possible rooted systems kyle (Nov 01)
- <Possible follow-ups>
- RE: possible rooted systems xyberpix (Nov 01)
- Re: possible rooted systems Alvin Oga (Nov 02)
- Re: possible rooted systems Mailing Lists (Nov 01)
- RE: possible rooted systems xyberpix (Nov 02)