Penetration Testing mailing list archives
RE: Unknown App
From: "Scott Fuhriman" <fuhrimans () llix net>
Date: Mon, 25 Jul 2005 14:10:05 -0700
I will elaborate a little more with the additional info you have provided about already having identified the application. If you are doing a pen-test for a customer the first thing you should do is let them know. It is not good practice to identify a potential security breach that a customer has and wait to tell them after you are finished with a full report. Then let them take the appropriate action necessary as dictated by their security program/procedures. Otherwise, if this is your organization you should follow the policies and procedures established. Most likely these don't exist or you wouldn't be asking the question. The following is not a fully extensive detailed description of the forensics and incident response process as it would take far too much to explain. Don't be trapped into thinking the answer is simply to delete the application and continue operating, remember if there are other machines infected this one could become infected again. First, the biggest question that has to be asked is if this application is malicious or something intended and you are just not in the know about a special configuration within the organization. If this is malicious, the issue needs to be reported to management with the first set of decisions that needs to be made. This decision is as to whether the organization wants/needs to spend the time and money to perform a forensics analysis on the machine to identify how the breach occurred and the extent of the breach, or due to budget and time constraints wipe the machine completely and rebuild from scratch. Again, if rebuilding isn't an option then you need... Second, to compliment the first decision management must decide if they want to potentially pursue this in a legal fashion. This decision has far reaching effects because it determines how you must go about collecting information as evidence. When this becomes a forensics investigation, normal IT staff are not the best people to perform these activities unless they have had the proper forensics training. Next, if it has been decided to further analyze the incident, you need to identify the manner of compromise (again unless you know for certain that no legal action will be taken, you should begin forensics procedures because you may not know until after the fact that litigation is desired by management). How did it occur? When did it occur? How to recreate the activities that led up to the security incident? Are there other things running that we are not aware of? What is the worm, and what are it's intentions? Are there any other malicious things the worm is known for (key logging, backdoors, etc...)? How is the worm/virus/trojan spreading? Finally, if you have reached this stage you should have enough information to make an informative decision as to how to mitigate the incident and whether the machine(s) need to be wiped and rebuilt, or simply cleaned and use can continue. If the latter is decided upon, again remember that the only way to be 100% confident is to wipe the machine and change any and all passwords stored/used on the machine as the person compromising the machine may have compromised all or any of them and could simply use them to re-gain access. Or it may have been an internal employee or IT staff member, which may be unlikely in this case as it does appear to be a worm. Hope that gives you a better understanding of what is ahead of you and the decisions needing to be made. Remember if you have not been trained in forensics analysis and investigation, you should seek someone with that skill set and not make the mistakes that would be made otherwise. Scott Fuhriman -----Original Message----- From: thenightweighsheavy () gmail com [mailto:thenightweighsheavy () gmail com] Sent: Monday, July 25, 2005 11:44 AM To: pen-test () securityfocus com Subject: Re: Unknown App Hi, Thanks for all of the great responses; however, I think I phrased the original email poorly. What I was getting at was how to approach this application that has opened port 80 - but not as a web listener. I.e., the usual approaches to pen-testing a web server are not applicable. I have identified the offending application, what I'm curious to know is how the list would approach this find. Golden Earring
Current thread:
- Re: Unknown App, (continued)
- Re: Unknown App Fabián Gabriel Chiera (Jul 22)
- RE: Unknown App okrehel (Jul 21)
- RE: Unknown App Aleksander P. Czarnowski (Jul 21)
- RE: Unknown App Lyal Collins (Jul 22)
- RE: Unknown App Jarmon, Don R (Jul 21)
- RE: Unknown App Andre Protas (Jul 21)
- RE:Unknown App Jordan Del-Grande (Jul 21)
- RE: Unknown App Womack, Quintin T - Raleigh, NC - Contractor (Jul 21)
- RE: Unknown App Hagen, Eric (Jul 22)
- Re: Unknown App thenightweighsheavy (Jul 25)
- RE: Unknown App Scott Fuhriman (Jul 25)