Russ, Thanks for the follow-up on the issue...such a thing is extremely rare, particularly in the Incidents list. Also, the detail of the follow-up is very helpful to folks who simply lurk on the list... > My guess is that these machines are previously > compromised systems and that this could be a way of > distributing updates or backdoors through > the network, or am I just being paranoid? Well, I'd say that unless you have some evidence to back it up, it's an assumption that may bite you in the arse later. The thing is, an investigator should never approach a system with preconceived notions...having a theory is something different, but having a preconceived notion means that you're not necessarily going to look for data...you're going to look for data that supports your assumption. Now, if you do have information that supports your assumption about the machines being previously compromised...that's great. Otherwise, you're likely to get yourself into trouble being paranoid. __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 06 2002 - 09:14:22 PDT