Security Incidents mailing list archives

Re: Ramen

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Wed, 24 Jan 2001 11:35:56 +1300

On Mon, 22 Jan 2001 16:43:09 -0800 Dave Dittrich
<dittrich () CAC WASHINGTON EDU> wrote:

Matt, generally (well, actually 99.999% of the time), the rule is to
totally reformat whenever there has been a root level compromise.
Go to your old backups, restore from there.  Have a stiff drink, for
that box is history.


My rule #0 is get an image copy before doing your rule #1.
Yes, trying to "clean up" is nearly futile, but properly handling
the incident is important.


I agree that this is desirable, however it is non trivial on most
modern systems which don't have handy tapedrives etc.

Do you have any suggestions for making this process more straight
forward?  I have been thinking of keeping a block of disk free on one
of my machines (which has a CD writer) and aranging to copy the image
over the net.  I am well aware that this isn't at all ideal - real disk
images are to be preferred, but apart from the difficulty of
duplicating disks there is the problem of the shear size of the things
these days.

Cheers, Russell.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

Current thread:

Ramen Matthew Roley (Jan 22)
- Re: Ramen Brian Taylor (Jan 22)
  - Re: Ramen Dave Dittrich (Jan 23)
    - Re: Ramen Neil Long (Jan 23)
    - Re: Ramen Russell Fulton (Jan 23)
    - Re: Ramen Lance Spitzner (Jan 23)
    - Re: Ramen Ryan W. Maple (Jan 24)