nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS poisoning at Google?

From: AP NANOG <nanog () armoredpackets com>
Date: Wed, 27 Jun 2012 11:05:07 -0400
This may not help Matt now, but I just came across this today and believe it may help others who have to deal with incidents:
http://cert.societegenerale.com/en/publications.html --> "IRM (Incident Response Methodologies)"
If you changed the file contents before noting the created date, modified date, etc. then begin looking at your backups. This date will then help you track down the log entries and finally lead you to the root cause.
Also, if possible, please post the culprit code that caused this, exif'ing the sensitive data of course :-) 

--

Thank you,

Robert Miller
http://www.armoredpackets.com

Twitter: @arch3angel

On 6/27/12 7:50 AM, TR Shaw wrote:

On Jun 27, 2012, at 3:36 AM, Michael J Wise wrote:


On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:


We found the aberrant .htaccess file and have removed it. What a mess!


Trusting you carefully noted the date/time stamp before removing it, as that's an important bit of forensics.

And done forget there is a trail on that file on your backups.

Tom
Previous By Date Next
Previous By Thread Next

Current thread: