Re: backdoor

From: Jonas M Luster (jluster@d-fensive.com)
Date: Mon Jun 24 2002 - 12:45:39 PDT

Next message: Patrick Oonk: "Re: ZOMBIES_HTTP_GET"

Previous message: Kyle R. Hofmann: "Re: backdoor"
Next in thread: Hugo van der Kooij: "Re: backdoor"
Reply: Hugo van der Kooij: "Re: backdoor"
Reply: Greg A. Woods: "Re: backdoor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Don Weber (Donat_private):

> a compromised machine, CAN and is usually designed to compromise or be used
> to compromised other machines. leaving YOUR machine active and on the
> internet, is allowing your system to attempt to compromise MY system, you
> call that over-reacting professional, i call it being considerate. A house

To simply destroy all evidence is not considerate. It is a great
dis-service to all those machines that have been compromised through
the compromised system. Such a machine usually carries enough
information to determine the machines that have been attacked from the
system and reveals an awful lot about the intruder.

That is why I stress the need to prohibit malicious activities on
router or switch level as soon as the incident is discovered, that is
doing the right things in access-lists and blocks to make sure the
system will still function but can not be used against third parties
anymore.

> being broken into is, broken into, then burglar leaves, and goes elsewhere
> the next night. unless of course your house gets broken into and the burglar
> use your house as a staging ground to break into other houses in the area,
> then, maybe, the analogy might work, in that case, YES, level the house,
> build a new one, and dont forget to upgrade that alarm system

In my analogy the house is used to snipe the neighbors dogs from the
rooftop. To simply level that house means not to determine how he got
in in the first place and therefore to risk to have the same hole
again. And just like burglars our attackers are persistant. If you
simply rebuild the system, they will come again. Since you did not
determine how they got in, chances are they will again. And you could
not inform your neighbors about that weak lock, either, so they might
also use their houses.

I hate analogies, I should not have started one in the first place. I
apologize.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Patrick Oonk: "Re: ZOMBIES_HTTP_GET"
Previous message: Kyle R. Hofmann: "Re: backdoor"
Next in thread: Hugo van der Kooij: "Re: backdoor"
Reply: Hugo van der Kooij: "Re: backdoor"
Reply: Greg A. Woods: "Re: backdoor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 24 2002 - 22:19:49 PDT