[ On Monday, June 24, 2002 at 12:45:39 (-0700), Jonas M Luster wrote: ] > Subject: Re: backdoor > > To simply destroy all evidence is not considerate. It is a great > dis-service to all those machines that have been compromised through > the compromised system. Such a machine usually carries enough > information to determine the machines that have been attacked from the > system and reveals an awful lot about the intruder. Perhaps, but until you can telephone your local police and they can send over a bonded and certified geek in a uniform to dust your machine for foreign packets then that's about all the average systems manager can do. I'd bet the average insurance policy won't even cover the loss incurred, or a standby machine to avoid loss, while waiting for this to happen, so there's yet another "social" issue which needs to be dealt with before the average person will think to preserve such evidence. It would be worse to leave the machine online, and, no offense intended to anyone who reads this but, I for one don't want the average systems manager trying to play an Internet crime detective in his or her spare time. Even posting the obvious stuff to a central forum such as this incidents mailing list is beyond what I'd expect the average person to do. > That is why I stress the need to prohibit malicious activities on > router or switch level as soon as the incident is discovered, that is > doing the right things in access-lists and blocks to make sure the > system will still function but can not be used against third parties > anymore. I cannot argue against that point though! ;-) -- Greg A. Woods +1 416 218-0098; <gwoodsat_private>; <g.a.woodsat_private>; <woodsat_private> Planix, Inc. <woodsat_private>; VE3TCP; Secrets of the Weird <woodsat_private> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 08:55:00 PDT