Security Incidents mailing list archives
RE: [incidents] Re: backdoor
From: "Don Weber" <Don () AirLink com>
Date: Tue, 25 Jun 2002 12:50:47 -0700
/begin rant the idea of finding out what other systems were affected by yours is still even a waste of time, i've done that, invested alot of time/effort and even money into findong out exactly what other systems were or may have been compromised from my system, only to finally get in touch with the individual or administrator of the systems in question, to be, 'brushed off' or next to being told, they dont care, or they dont have time, or i guess i'll try to get this taken care of in the next few weeks and so on, and unless a system of mine gets compromised by an entirely unique method, which would benefit the community, i will not take that time and effort again, now dont blast me here, I am sure that some of you are now saying, that you would never respond to me in the method i described, yet 10 out of 10 calls, that is exactly the response i rcvd, so, in the future, like i mentioned, unless it is something very unique, the hard drive will likely be thrown out the door, and a new system installed, since, at this point for instance lets just say "code red", we all know how a system gets infected by code red, there is no need for investigation of how it happened, we know how to prevent it from happening again, therefore there is simply no reason for me to spend any amount of time investigating the compromise, and aside form the possibillity of finding what other systems were compromised, why should i spend any time on it, especially considering my own personal experience with spending that time and getting the response i did. /end rant Don
-----Original Message----- From: Jonas M Luster [mailto:jluster () d-fensive com] Sent: Sunday, June 23, 2002 10:41 PM To: Daniel Wittenberg Cc: Incidents Mailing List Subject: Re: [incidents] Re: backdoor Quoting Daniel Wittenberg (daniel-wittenberg () uiowa edu):I don't think you're exactly comparing the same things. How about someone broke into my house, planted bugs all over my hours, possibly set traps doors in the floor, and wired it to catch on fire when you leave. The biggest problem I see with a compromise, is that you don'tTo stay with your example is to come home, find the house bugged and boobie-trapped, and based on that fact leveling it, just to build a similar house (in less time than it'd take to clean it, agreed). The neighbor's cat, which got snipered with gun from the upper windows of your house is not brought back, right? But without at least dusting for shoeprints, you'll never know HOW the bad guy got in. You'll build the same house again, the bad guy got lucky once in this neighborhood they might come back. So, when you simply level and reerrect the house, you might make yourself an accessory to the neighbors dog being snipered, too. I've seen quite a number of intrusions in my life. Most of the systems were reinstalled between four and six hours after detection - that is after someone with sufficient clue took he 'live' snapshot, did the on-analysis and removed the media to do the deeper forensic work. A new harddisk in, reinstall, good. And by that time, one knows HOW the bad guy got in and what he did. The 'security through reinstallation' myth seems to have coined by all those Certified Internet Snakeoil Sales People (CISSPs) and their likes to conceal the fact that all their fancy certs don't help them much when it comes to true forensic work. See, I believe that a networked system brings with itself responsibilities. Just like buying a car or a gun. It's a liability, one should only accept if s/he knows how to resolve these problems in a matter that keeps neighbors and other participants in the 'community', knows someone who's competent to do it, or can pay for someone to do it.know what they did. Also, with a lot of people it's a matter of time. If it takes me 3 days to follow your instructions below, vs. 1-2 hours to rebuild the system from scratch, unless I have a lot of time toAn initial 'live' assessment takes 3-4 hours, reinstalling a system from the latest backup between 1 and 3 hours, and applying the patches to prevent the intrusion from happening again, based on the knowledge gathered during the initial 3-4 hours, takes another 2 hours. So, I guess, it's fair to say that it _will_ indeed take longer to do proper forensics, but not 2 hours compared to 3 days but more like three hours compared to six.systems compromised like this, but I've cleaned up plenty thathave, andit's usually not worth the time and effort to figure out what all the little kiddies were doing. I don't think there is any right answer toAnd if it's just to find out if they did it to other systems from yours, it's always worth the effort - at least in my book. ----------------------------------------------------------------- ----------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- backdoor Fabio Miranda (Jun 22)
- Re: backdoor steveg (Jun 23)
- Re: backdoor Ken Fischer (Jun 25)
- Re: backdoor Hugo van der Kooij (Jun 23)
- Re: backdoor Jonas M Luster (Jun 23)
- Re: backdoor Kyle R. Hofmann (Jun 24)
- Message not available
- Re: backdoor Jonas M Luster (Jun 24)
- Re: backdoor Hugo van der Kooij (Jun 26)
- Re: backdoor Greg A. Woods (Jun 26)
- Re: backdoor Jonas M Luster (Jun 23)
- Message not available
- Re: [incidents] Re: backdoor Jonas M Luster (Jun 25)
- RE: [incidents] Re: backdoor Don Weber (Jun 26)
- Re: backdoor steveg (Jun 23)
- Re: backdoor Eric Rostetter (Jun 26)
- <Possible follow-ups>
- RE: backdoor Rob Keown (Jun 23)
- Re: backdoor Christopher L Calvert (Jun 25)
- Re: backdoor Valdis . Kletnieks (Jun 26)
- RE: backdoor Liam Grant (Jun 26)