>> 1. If the infection isn't Admin or System-level, why >> rebuild? Apples and Oranges. We are talking here about Admin and System level, so that is what my recommendation is concerning. I guess maybe I am a little slow here. I am not aware of something that I would consider compromised that isn't, at least in part, at an admin or system level. Can you maybe give me an example of a compromise at a non-admin level and maybe I can go from there. >> 2. If a blind, unqualified rebuild is done, what >> happens? Hopefully you lose your job I guess. What idiot in his right mind would do or recommend a "blind, unqualified rebuild". My point was in this case, you know that you were compromised and you know how and why. Research it to your hearts content, but when it is time to fix it, the only truly secure way is a rebuild. The people in this equation that are doing blind and unqualified things seem to be the ones that are blindly trusting the cleaners to get everything off their system. >> If nothing is done to determine *how* the >> incident occurred, then what happens? Uh, I guess you ride the little bus to school tomorrow. >> The system could be very quickly reinfected, >> leading to an endless cycle of infections and >> re-installs. Riiiight, but running a cleaner prevents this? Uh, nope. But rebuilding and patching does. >> Or worse, the subsequent incident could be far >> deeper and far more stealthy. But you would always have cleaner to protect you. JayW >>> Harlan Carvey <keydet89at_private> 08/14/03 05:51PM >>> Jay, > Another example of why rebuilding is ALWAYS the most > secure answer when > a machine has been compromised. I have a feeling > that many of you that > are just blindly trusting these cleaners are going > to find out that this > isn't enough. My 2 cents. Rebuild. Just a couple of thoughts... 1. If the infection isn't Admin or System-level, why rebuild? 2. If a blind, unqualified rebuild is done, what happens? If nothing is done to determine *how* the incident occurred, then what happens? The system could be very quickly reinfected, leading to an endless cycle of infections and re-installs. Or worse, the subsequent incident could be far deeper and far more stealthy. Harlan __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 15 2003 - 18:11:35 PDT