-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > 1. If the infection isn't Admin or System-level, why > rebuild? In this case, the exploit takes place at the system-level, but it usually all depends on the attack vector used and the nature of the attack itself. > 2. If a blind, unqualified rebuild is done, what > happens? If nothing is done to determine *how* the > incident occurred, then what happens? The system > could be very quickly reinfected, leading to an > endless cycle of infections and re-installs. Or > worse, the subsequent incident could be far deeper and > far more stealthy. Good point, my only comment here is how? I have a large staff of desktop support personnel that are very good at reimaging machines. As far as I know, I am the only person in my company trained in computer forensics. It would be hard to go beyond a blind, unqualified rebuild without taking a detailed look at each individual box (when you start thinking about the number of things that could be dropped on a compromised system). In general, it should be assumed that once a system has been compromised at the admin/system level (as you have stated), the box is pretty much toast. Thank you for your time and attention, ======================== Brad Bemis Information Security Services Airborne Express (206) 830-3478 ======================== Email Notice: This communication may contain sensitive information. If you are not the intended recipient, or believe that you have received this communication in error; do not print, copy, retransmit, disseminate, or otherwise use the information contained herein for any purpose. Please alert the sender that you have received this message in error, and delete the copy that you received. > > > Harlan > > > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com > > -------------------------------------------------------------- > ------------- > Captus Networks - Integrated Intrusion Prevention and Traffic > Shaping > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > - Automatically Control P2P, IM and Spam Traffic > - Ensure Reliable Performance of Mission Critical Applications > - Precisely Define and Implement Network Security and > Performance Policies > **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo > Visit us at: > http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 > -------------------------------------------------------------- > -------------- > > > -----BEGIN PGP SIGNATURE----- iQA/AwUBPzxuvpDnOfS48mrdEQIW9ACdGSKgjAZ1dfoZR7j9rqqHlZiF4n8AoLgq zz65bln1FFOGnPaF5cGjhkSz =b17A -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 22:54:24 PDT