On Sun, 5 Aug 2001 aleph1at_private wrote: > Abstract > > infected attacking IIS web servers to learn of new infected hosts. The > strong recommendation from this report is that as part of any CodeRed > II recovery effort, the system web logs should immediately be > destroyed, and Intrusion Detection Systems should checking for and > tracing recursive attempts to access web logs though the backdoor. <soapbox> It is reckless and dangerous to suggest that the first step of recovery from any type of security compromise is to delete relevant information, especially system or application logs without first examining them. Furthermore, in a forensic investigation, which is not necessarily applicable to this specific type of compromise, altering original copy binary data in any way would immediately disqualify any information gained from that data from being admissible in a court of law. This point is especially important for those who are ignorant in the methods of system forensics. </soapbox> In the event that the backdoor from this version of CodeRed has been located on a server by the admin/IT/Infosec/whomever staff, which I think it's safe to assume would have happened if recovery effort is taking place, wouldn't it be better to take the http server down, go through the logs and start notifying the attacking servers' owners and/or their providers that they've been compromised? Furthermore, since you talk of using the logs of compromised hosts to locate other compromised hosts, wouldn't it be beneficial for the server owner to examine his/her own logs looking for people who are doing this type of data mining? Granted, you may catch some well meaning grey hats in the process, whom I personally think shouldn't be hassled for trying to help, but you'll probably find a few black hats as well. -- Joseph W. Shaw II Network Security Specialist/CCNA Unemployed. Will hack for food. God Bless. Apparently I'm overqualified but undereducated to be employed. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 09:16:50 PDT