Re: backdoor

From: Jonas M Luster (jluster@d-fensive.com)
Date: Sun Jun 23 2002 - 13:06:49 PDT

Next message: Mike Lewinski: "Re: backdoor"

Previous message: Bill Royds: "RE: Unusual proxy port scan"
In reply to: Hugo van der Kooij: "Re: backdoor"
Next in thread: Kyle R. Hofmann: "Re: backdoor"
Next in thread: Mike Lewinski: "Re: backdoor"
Reply: Kyle R. Hofmann: "Re: backdoor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Hugo van der Kooij (hvdkooijat_private):

> > hi, My box was compromised, and i cant rm a binary
> > that listens over tcp, i need help support, watch:
> 
> S.O.P. (Standard Operating Procedures) describe that a compromised box 
> should be considere lost and be installed from scratch.

S.O.P: Someone broke into my house and stole my TV. Let's just go
ahead and level the whole building and build a new one. S.O.P in this
case stands for Severely Overreacting Professional.

From the SOP I usually hand out:

| What to do if your system appears compromised:
| ==============================================
| 
| * Ensure isolation on router/switch level. Do not prohibit traffic
|   out, but ensure the safety of your systems and the 'net. Some
|   systems are boobie-trapped to destroy themselves and all evidence
|   when put into isolation (simple ping, triggering a fdisk can do
|   that).
| 
| * Perform standard forensic analysis on compromised system. Compare
|   MD5 or SHA checksums with those auto-archived during the install and
|   on a weekly basis (you don't have them? What are you doing on the
|   'net calling yourself a professional or even administrator)
| 
| * Can you - without the shadow of a doubt - explain the incident? If
|   yes, restore your system and go back to work. If not...
| 
| * Ensure there are no boobietraps in the system that destroy evidence
|   when shutdown. Make sure you already checked memory and other
|   volatile parts of the system before shutting it down.
| 
| * What are the implications of shutting the system down hard (pull the
|   plug? If you are unsure, check the 'net. Decide how to take the
|   system down.
| 
| * Mount the system's HDs in a known safe machine. Mount r/o.
| 
| * Perform standard forensic work - use TCT or TASK to do so.
| 
| * Can you - without the shadow of a doubt - explain the incident? If
|   yes, restore your system and go back to work. If not...
| 
| * Call someone who knows. Your system may not be the only compromised
|   system in the network. The way in might have been used elsewhere.
|   Ensure your network is safe.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Mike Lewinski: "Re: backdoor"
Previous message: Bill Royds: "RE: Unusual proxy port scan"
In reply to: Hugo van der Kooij: "Re: backdoor"
Next in thread: Kyle R. Hofmann: "Re: backdoor"
Next in thread: Mike Lewinski: "Re: backdoor"
Reply: Kyle R. Hofmann: "Re: backdoor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 23 2002 - 14:58:57 PDT