At 01:55 PM 7/22/2003 -0700, you wrote: > > For my money, I would say yes, rebuild it. There > > are the files you found > > and the intangibles you'll probably never find, like > > who and why. > >What about the "how"? If the original poster (OP) >never discovers how the original compromise occurred, >then rebuilding the system does nothing but wastes >time. Rebuilding and updating the patches may help, >but there are great deal of things that patching >doesn't protect against, such as misconfigurations and >weak passwords. Your right about the underlying configuration and the issue of how. I had read too much into his post, and thought he had his own idea of how (compromised account). I left it without saying that he should tighten the configuration, because my experience has been that once hit (especially big hits like this), most professional admins take it upon themselves to do the research and tighten their boxes. > > You may > > have a good reason to believe you know what > > happened, and you may be > > correct (especially if you have before and after md5 > > or tripwire hashes), but there are few absolutes. > >The reason that Windows incident many times seem to >have few absolutes can largely be attributed to those >who are posting not knowing what to look for, or how >to look for it. The OP stated that he'd run some >tools based on an article I'd written, but never >bothered to post his results or analysis. I'm sorry but I don't think there are too many absolutes, MAC times can be tampered with, logs can be corrupted, etc. Without corroborating evidence, I think you have to take what they say with a grain of salt. I haven't read your article and it may be able to set some of my doubts aside, but until I get a chance to find and read it I'll probably continue to encourage rebuilds where possible. > > I've recently dealt with a windows rootkit > > (derived from hacker defender it appears) and can > > tell you that you might > > not know about everything. If our attacker had been > > a little more subtle we > > might not have been able to find his/her tracks. As > > it was I am still > > learning about what happened a month and a half > > later(its been a real > > learning experience with Windows Rootkits and how to > > use forensic tools). > >Again, this condition may have to do w/ the fact that >most Windows admins are busy admin'ing, and don't seem >to have the cycles to give to learning what to do when >an incident occurs. I agree that a lot of admins don't have the experience to handle an incident and those that do, may (like myself) not have a lot of forensic experience. I feel I am adept at securing the box and handling the evidence and can frequently figure out the how by looking at logs, using tools like fport, pslist, etc, by talking with the with user/admin, network security (a separate group on campus), etc., but there is a point at which, even with all the time I have spent on security, I am in over my head and at least once I ran out of people to ask for help. At these times I have to fall back on reinstalling, patching, tightening and ongoing monitoring. >For example, the OP's incident has little if anything >(or it would seem) to do with rootkits. Hacker >Defender is a user-mode rootkit...if the process was >running with admin privs, then perhaps something else >needs to be looked at. In this incident I was cleaning up after an end-user who set up their own machine with a weak admin password (its an unfortunate policy situation I am trying to fix). The attacker appears to have compromised the password (strongly educated guess since there aren't any logs and the network traces were somewhat lacking) and then installed the rootkit as a service (which among other things hid the service so I had to use the offline password/registry editor at http://home.eunet.no/~pnordahl/ntpasswd/ to find it). I mentioned this to show that there might be more going on than what meets the eye. In my rush to a meeting I forgot to mention that rootkits, like hacker defender, can hide folders, services, registry enteries, etc. Meaning that the original poster might not have seen everything. John ------------------------------------------------- John Ives, GCWN, GSEC Systems Administrator College of Chemistry (510) 643-1033 "If you spend more on coffee than on IT security, Then you will be hacked. What's more, you deserve to be hacked." - Richard Clarke Any opinions expressed are my own and not those of the Regents of the University of California. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jul 23 2003 - 09:49:07 PDT