Forwarded from: H C <keydet89at_private> Cc: dittrichat_private, thorat_private > This is one of the poorest of administration and security practices, > yet people continually think this is perfectly OK to do Agreed. I've seen this done in data centers when setting up customer's web hosted systems. This, and allowing the Anonymous user to have write-access to the drive via FTP. And I'm not talking a home user setting up a system...I'm talking MCSE+I's setting up systems for a web hosting product. > The fact that Windows 2000 and NT ALLOW THIS BY DEFAULT is the > problem (Windows XP does not). I would agree that it is A problem, but I think the real problem is simply lack of knowledge/laziness on the part of those who install these systems. > but they didn't know the details because "wipe/reinstall" is the > de-facto method of choice for incident response, which is a very > poor way to go. No data to analyze means no conclusions (and repeat > problems, I can guarantee it.) You're absolutely right. There are a couple of quick things that can be done on Windows systems (NT/2K/XP) to determine if there is even an incident at all...simply watching the lists shows that there's a lot of activity from the os and applications that admins and users first suspect is malware-related. Remember, there were many Win2K systems that got infected w/ CR/Nimda, and the owners didn't even realize they had IIS installed. > Host and network level forensics (even the most basic) do take some > time, but is the best way to get to the bottom of things. I recently had an article published on SF that may be of assistance: http://online.securityfocus.com/infocus/1624 Also, I teach a course in Win2K "live" forensics...we take a look at how systems are broken into, how to prevent it, what to look for, and how to handle incidents. I'm also developing my own home-grown project, a forensics server. It's mostly completed, and I've got one or two clients finished (all very pre-beta). The basic idea is to provide a CD to the first responder with the clients...she pops the CD into the "victim" system, and runs the configuration, and then the tools. The information is sent off of the "victim" system via a socket, similar to netcat...except that the server not only stores the data, but also documents all activity. The client for copying files simply requires that the first responder select the files they want copied...the client handles collection of data (MAC times, hashes, etc), copying of the file to the server, and the server handles documentation, including hash verification. I'll admit that this project is slow in development, but that's mostly b/c (as usual) things that pay the bills take precedence...and there doesn't seem to be a whole lot of interest in such a thing right now. I'm planning on releasing this as open source, GPL'd...the tools are all written in Perl, so the server and clients can be used on or written for other platforms. Carv __________________________________________________ Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost http://dir.remember.yahoo.com/tribute - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 01:36:20 PDT