I agree completely. There is no limit to what you can do if you want to be
evil. But this attack was a completely automated political statement that
tageted thousands of servers in exactly the same manner, performing exactly
the same operations on each one.
There comes a point at which you have to ask yourself, "Was I just one of
several thousand identical victims, or did some hacker want to get into my
particular web server so badly that he timed his attack to coincide with a
larger world-wide event as a cover?"
Occam's Razor, dude. All things being equal, the simplest answer is the
correct one. Still, I suppose that in some cases you can't afford to allow
the latter possibility.
Eric Robinson
Network Architect
edurus, Inc.
www.edurus.com
-----Original Message-----
From: Jose Nazario [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 25, 2001 9:39 AM
To: Eric Robinson
Cc: [EMAIL PROTECTED]
Subject: RE: f**k USA government f**k poizonbox
On Fri, 25 May 2001, Eric Robinson wrote:
> Members of this list who suggest that you should reformat and
> reinstall after a hacking inicdent are only partially correct.
> Starting with a clean slate is the only way to be sure you have
> eliminated your problem if you don't already know the exact nature of
> the attack. In this case, we do. :-)
no, you don't.
if i really wanted to screw with you, i'd make all outward signs look like
something else relatively benign (deface the webpage in the same fashion),
but install some backdoors. as long as i was running around racking up
boxes with a known exploit, i may as well have some fun with it as well.
unless you have a host based integrity monitoring system, ie Tripwire,
don't make any assumptions based on what you have observed using a
compromised system.
____________________________
jose nazario [EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
