Security Incidents mailing list archives

Re: backdoor

From: woods () weird com (Greg A. Woods)
Date: Tue, 25 Jun 2002 11:04:44 -0400 (EDT)

[ On Monday, June 24, 2002 at 12:45:39 (-0700), Jonas M Luster wrote: ]

Subject: Re: backdoor

To simply destroy all evidence is not considerate. It is a great
dis-service to all those machines that have been compromised through
the compromised system. Such a machine usually carries enough
information to determine the machines that have been attacked from the
system and reveals an awful lot about the intruder.


Perhaps, but until you can telephone your local police and they can send
over a bonded and certified geek in a uniform to dust your machine for
foreign packets then that's about all the average systems manager can
do.  I'd bet the average insurance policy won't even cover the loss
incurred, or a standby machine to avoid loss, while waiting for this to
happen, so there's yet another "social" issue which needs to be dealt
with before the average person will think to preserve such evidence.

It would be worse to leave the machine online, and, no offense intended
to anyone who reads this but, I for one don't want the average systems
manager trying to play an Internet crime detective in his or her spare
time.  Even posting the obvious stuff to a central forum such as this
incidents mailing list is beyond what I'd expect the average person to
do.

That is why I stress the need to prohibit malicious activities on
router or switch level as soon as the incident is discovered, that is
doing the right things in access-lists and blocks to make sure the
system will still function but can not be used against third parties
anymore.


I cannot argue against that point though!  ;-)

-- 
                                                                Greg A. Woods

+1 416 218-0098;  <gwoods () acm org>;  <g.a.woods () ieee org>;  <woods () robohack ca>
Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

backdoor Fabio Miranda (Jun 22)
- Re: backdoor steveg (Jun 23)
  - Re: backdoor Ken Fischer (Jun 25)
- Re: backdoor Hugo van der Kooij (Jun 23)
  - Re: backdoor Jonas M Luster (Jun 23)
    - Re: backdoor Kyle R. Hofmann (Jun 24)
    - Message not available
    - Re: backdoor Jonas M Luster (Jun 24)
    - Re: backdoor Hugo van der Kooij (Jun 26)
    - Re: backdoor Greg A. Woods (Jun 26)
    - Message not available
    - Re: [incidents] Re: backdoor Jonas M Luster (Jun 25)
    - RE: [incidents] Re: backdoor Don Weber (Jun 26)
  - Re: backdoor Mike Lewinski (Jun 23)
    - Re: backdoor Eric Rostetter (Jun 26)
- <Possible follow-ups>
- RE: backdoor Rob Keown (Jun 23)
- Re: backdoor Christopher L Calvert (Jun 25)
  - Re: backdoor Valdis . Kletnieks (Jun 26)
- RE: backdoor Liam Grant (Jun 26)