/begin rant the idea of finding out what other systems were affected by yours is still even a waste of time, i've done that, invested alot of time/effort and even money into findong out exactly what other systems were or may have been compromised from my system, only to finally get in touch with the individual or administrator of the systems in question, to be, 'brushed off' or next to being told, they dont care, or they dont have time, or i guess i'll try to get this taken care of in the next few weeks and so on, and unless a system of mine gets compromised by an entirely unique method, which would benefit the community, i will not take that time and effort again, now dont blast me here, I am sure that some of you are now saying, that you would never respond to me in the method i described, yet 10 out of 10 calls, that is exactly the response i rcvd, so, in the future, like i mentioned, unless it is something very unique, the hard drive will likely be thrown out the door, and a new system installed, since, at this point for instance lets just say "code red", we all know how a system gets infected by code red, there is no need for investigation of how it happened, we know how to prevent it from happening again, therefore there is simply no reason for me to spend any amount of time investigating the compromise, and aside form the possibillity of finding what other systems were compromised, why should i spend any time on it, especially considering my own personal experience with spending that time and getting the response i did. /end rant Don > >-----Original Message----- > >From: Jonas M Luster [mailto:jluster@d-fensive.com] > >Sent: Sunday, June 23, 2002 10:41 PM > >To: Daniel Wittenberg > >Cc: Incidents Mailing List > >Subject: Re: [incidents] Re: backdoor > > > > > >Quoting Daniel Wittenberg (daniel-wittenbergat_private): > > > >> I don't think you're exactly comparing the same things. How about > >> someone broke into my house, planted bugs all over my hours, possibly > >> set traps doors in the floor, and wired it to catch on fire when you > >> leave. The biggest problem I see with a compromise, is that you don't > > > >To stay with your example is to come home, find the house bugged and > >boobie-trapped, and based on that fact leveling it, just to build a > >similar house (in less time than it'd take to clean it, agreed). > > > >The neighbor's cat, which got snipered with gun from the upper windows > >of your house is not brought back, right? But without at least dusting > >for shoeprints, you'll never know HOW the bad guy got in. You'll build > >the same house again, the bad guy got lucky once in this neighborhood > >they might come back. So, when you simply level and reerrect the > >house, you might make yourself an accessory to the neighbors dog being > >snipered, too. > > > >I've seen quite a number of intrusions in my life. Most of the systems > >were reinstalled between four and six hours after detection - that is > >after someone with sufficient clue took he 'live' snapshot, did the > >on-analysis and removed the media to do the deeper forensic work. A > >new harddisk in, reinstall, good. And by that time, one knows HOW the > >bad guy got in and what he did. > > > >The 'security through reinstallation' myth seems to have coined by all > >those Certified Internet Snakeoil Sales People (CISSPs) and their > >likes to conceal the fact that all their fancy certs don't help them > >much when it comes to true forensic work. > > > >See, I believe that a networked system brings with itself > >responsibilities. Just like buying a car or a gun. It's a liability, > >one should only accept if s/he knows how to resolve these problems in > >a matter that keeps neighbors and other participants in the > >'community', knows someone who's competent to do it, or can pay for > >someone to do it. > > > >> know what they did. Also, with a lot of people it's a matter of time. > >> If it takes me 3 days to follow your instructions below, vs. 1-2 hours > >> to rebuild the system from scratch, unless I have a lot of time to > > > >An initial 'live' assessment takes 3-4 hours, reinstalling a system > >from the latest backup between 1 and 3 hours, and applying the patches > >to prevent the intrusion from happening again, based on the knowledge > >gathered during the initial 3-4 hours, takes another 2 hours. So, I > >guess, it's fair to say that it _will_ indeed take longer to do proper > >forensics, but not 2 hours compared to 3 days but more like three > >hours compared to six. > > > >> systems compromised like this, but I've cleaned up plenty that > >have, and > >> it's usually not worth the time and effort to figure out what all the > >> little kiddies were doing. I don't think there is any right answer to > > > >And if it's just to find out if they did it to other systems from > >yours, it's always worth the effort - at least in my book. > > > >----------------------------------------------------------------- > >----------- > >This list is provided by the SecurityFocus ARIS analyzer service. > >For more information on this free incident handling, management > >and tracking system please see: http://aris.securityfocus.com > > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 08:46:48 PDT