On Thursday 14 August 2003 18:51, Harlan Carvey wrote: Hey Carv... > 1. If the infection isn't Admin or System-level, why > rebuild? I think what he's driving at is not the fact that the worm hit the machine in question, but that the machine in question was wide open for a total compromise for some time now via the very same attack vector that allows the worm to spread in the first place. > 2. If a blind, unqualified rebuild is done, what > happens? If nothing is done to determine *how* the > incident occurred, then what happens? The system > could be very quickly reinfected, leading to an > endless cycle of infections and re-installs. Or > worse, the subsequent incident could be far deeper and > far more stealthy. I agree with both of you...conditionally. If the infected host was not exposed to the public Internet in any way, it is a good possibility that the entry point was a laptop or other mobile system on the inside, as discussed earlier. In this case, a cleaning/patching session followed by a quick checkup of the machine's general health is in order. However, if the machine is exposed directly to the public Internet and gets hit, you have very little recourse other than wiping/restoring unless you have unlimited time to take the system down for a complete forensic exam. I agree that this should be done when possible, but reality bites...most of the time. -- Jonathan Rickman X Corps Security http://www.xcorps.net --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 21:06:04 PDT