Gary Flynn points out that the CERT advisory mentions unconfirmed reports of
attack variants. Actually, the advisory says,
"We are receiving reports of other activity, including one report of files
being destroyed on the compromised Windows machine, rendering [it]
unbootable. It is unclear at this time if this activity is directly related
to this worm."
That advisory is now a couple of weeks old and it looks like the report is
still unconfirmed.
Beth, if you know that the back doors you found on two of your 25 effected
systems were not (1) already there, or (2) installed by someone else after
the list of approximately 8000 targeted IP addresses was published at
attrition.org, then you should notify CERT.
My original thought was that if you know the state of a machine and you know
the exact nature of the attack(s) which compromised it, you do *not* always
need to reformat and reinstall. Lots of people keep saying, "Yeah, but what
if? What if somebody else broke in afterwards? What if there are different
versions of the attack? What if someone is using the original attack for a
cover?" And so on. The answer to all of those questions is the same. In
those cases, you obviously do not know the exact nature of the attack, hence
you cannot rely on attempts to simply reverse its effects. You have to start
fresh.
At least for the moment, I maintain that the attack in question was
completely automated and essentially harmless. It did not install back door
programs. Therefore, each system admin should consider the likelihood that
his or her machine has been compromised in *additional* ways (and the
potential impact if it has) against the time and effort required to rebuild
the server.
So I stand at least partially corrected. I should not have advised Nontakorn
Roongphornchai to eschew reformatting his hard drive without qualifying
myself thusly: If you think your server may have suffered effects beyond the
ones analysts associate with the "fuck USA" attack, or you simply cannot
afford to take the chance, then by all means, rebuild from scratch.
Although, in the latter case, I have to wonder why 7-month old security
patches were not already applied.
--Eric
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Young, Beth A.
Sent: Friday, May 25, 2001 10:58 AM
To: [EMAIL PROTECTED]
Subject: RE: f**k USA government f**k poizonbox
>From personal experience here:
We had about 25 machine around the state defaced. 2 of those machines had
backdoor programs installed. All the defacements looked the same so don't
assume anything.
Beth
-----Original Message-----
From: Eric Robinson [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 25, 2001 12:09 PM
To: Elizabeth Zwicky; Jose Nazario
Cc: [EMAIL PROTECTED]
Subject: RE: f**k USA government f**k poizonbox
Have you checked around to see what analysts in various places have said
about the true nature of the attack? Have there been reports of different
versions of the attack that do more than I stated?
Eric Robinson
Network Architect
edurus, Inc.
www.edurus.com
-----Original Message-----
From: Elizabeth Zwicky [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 25, 2001 10:05 AM
To: 'Eric Robinson'; Jose Nazario
Cc: [EMAIL PROTECTED]
Subject: RE: f**k USA government f**k poizonbox
> There comes a point at which you have to ask yourself, "Was I
> just one of
> several thousand identical victims, or did some hacker want
> to get into my
> particular web server so badly that he timed his attack to
> coincide with a
> larger world-wide event as a cover?"
Or, of course, you could ask yourself "Hey, since I know that
more than one person ran these attacks, is it possible that
different people used slightly different variations of
the attack, some of which left behind back doors?"
You could answer this question "No, no hacker would ever
take advantage of a political protest to hide back doors
on machines, and every single attack in these thousands
is from exactly the same software" but on the whole, I'd
have to regard that as a strange thing to believe.
Elizabeth Zwicky
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
