Re: MSBlast and other known exploits..

From: Jonathan Rickman (jonathanat_private)
Date: Thu Aug 14 2003 - 17:48:07 PDT

Next message: Schmehl, Paul L: "RE: Tools for monitoring port scans / connection attmempts?"

Previous message: James C. Slora, Jr.: "RE: MSBLASTER Infecting despite 03-026 patch?"
In reply to: Harlan Carvey: "Re: MSBlast and other known exploits.."
Next in thread: Brad Bemis: "RE: MSBlast and other known exploits.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday 14 August 2003 18:51, Harlan Carvey wrote:

Hey Carv...

> 1.  If the infection isn't Admin or System-level, why
> rebuild?

I think what he's driving at is not the fact that the worm hit the machine 
in question, but that the machine in question was wide open for a total 
compromise for some time now via the very same attack vector that allows 
the worm to spread in the first place.

> 2.  If a blind, unqualified rebuild is done, what
> happens?  If nothing is done to determine *how* the
> incident occurred, then what happens?  The system
> could be very quickly reinfected, leading to an
> endless cycle of infections and re-installs.  Or
> worse, the subsequent incident could be far deeper and
> far more stealthy.

I agree with both of you...conditionally. If the infected host was not 
exposed to the public Internet in any way, it is a good possibility that 
the entry point was a laptop or other mobile system on the inside, as 
discussed earlier. In this case, a cleaning/patching session followed by a 
quick checkup of the machine's general health is in order. However, if the 
machine is exposed directly to the public Internet and gets hit, you have 
very little recourse other than wiping/restoring unless you have unlimited 
time to take the system down for a complete forensic exam. I agree that 
this should be done when possible, but reality bites...most of the time.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
 - Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: 
http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
----------------------------------------------------------------------------

Next message: Schmehl, Paul L: "RE: Tools for monitoring port scans / connection attmempts?"
Previous message: James C. Slora, Jr.: "RE: MSBLASTER Infecting despite 03-026 patch?"
In reply to: Harlan Carvey: "Re: MSBlast and other known exploits.."
Next in thread: Brad Bemis: "RE: MSBlast and other known exploits.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 21:06:04 PDT