Re: First time security issue.

From: Harlan Carvey (keydet89at_private)
Date: Tue Jul 22 2003 - 13:55:49 PDT

Next message: Stuart: "Port 0 packets"

Previous message: Dan Hanson: "New SecurityFocus Articles (2)"
In reply to: John Ives: "Re: First time security issue."
Next in thread: John Ives: "Re: First time security issue."
Next in thread: Harlan Carvey: "Re: First time security issue."
Reply: John Ives: "Re: First time security issue."
Reply: Bojan Zdrnja: "RE: First time security issue."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

John,

While I understand your sentiment, I have to say that
I cannot agree with it.

> For my money, I would say yes, rebuild it.  There
> are the files you found 
> and the intangibles you'll probably never find, like
> who and why. 

What about the "how"?  If the original poster (OP)
never discovers how the original compromise occurred,
then rebuilding the system does nothing but wastes
time.  Rebuilding and updating the patches may help,
but there are great deal of things that patching
doesn't protect against, such as misconfigurations and
weak passwords.

> You may 
> have a good reason to believe you know what
> happened, and you may be 
> correct (especially if you have before and after md5
> or tripwire hashes), but there are few absolutes. 

The reason that Windows incident many times seem to
have few absolutes can largely be attributed to those
who are posting not knowing what to look for, or how
to look for it.  The OP stated that he'd run some
tools based on an article I'd written, but never
bothered to post his results or analysis.

> I've recently dealt with a windows rootkit 
> (derived from hacker defender it appears) and can
> tell you that you might 
> not know about everything. If our attacker had been
> a little more subtle we 
> might not have been able to find his/her tracks.  As
> it was I am still 
> learning about what happened  a month and a half
> later(its been a real 
> learning experience with Windows Rootkits and how to
> use forensic tools).

Again, this condition may have to do w/ the fact that
most Windows admins are busy admin'ing, and don't seem
to have the cycles to give to learning what to do when
an incident occurs. 

For example, the OP's incident has little if anything
(or it would seem) to do with rootkits.  Hacker
Defender is a user-mode rootkit...if the process was
running with admin privs, then perhaps something else
needs to be looked at.

Thanks,

Harlan


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Stuart: "Port 0 packets"
Previous message: Dan Hanson: "New SecurityFocus Articles (2)"
In reply to: John Ives: "Re: First time security issue."
Next in thread: John Ives: "Re: First time security issue."
Next in thread: Harlan Carvey: "Re: First time security issue."
Reply: John Ives: "Re: First time security issue."
Reply: Bojan Zdrnja: "RE: First time security issue."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 22 2003 - 14:59:04 PDT