hi ya
i think you only need to analyze one system...the one that was
broken into...
fit it in whateveer way you can to get up and running and watch
if carefully...
if that fix ssems to work...propagate that patch to the other 8999
machines to prevent those from being hacked
- hopefully updates are automated....
- fix one... and you've fixed all of umm...
- if you have 4 different distro...
than fix 4...and you've fixed um all
- running and testing on a test farm is a good thing to do
( but its always a time vs $$$ issue...
c ya
alvin
On Fri, 25 May 2001, Eric Robinson wrote:
> In an ideal world, I suppose we would have time to conduct an "exhaustive
> forensic analysis" of each of the 9000+ effected systems.
>
> I wonder:
>
> - Do you look under you car, under its hood, under its seats and in its
> trunk before getting into it each time?
> - Do you personally wash your doctor or dentist's hands before he or she
> works on you?
> - Do you receive vaccines, despite the clear warning that a percentage of
> recipients experience adverse side effects including death?
> - Do you give them to your kids?
> - Do you take your kids with you wherever you go--to work, to the gym, out
> on a date? Do you teach them yourself?
> - Do you live in a city known for crime, earthquakes, high stress, disease
> or dangerous weather?
>
> Compared to having your web site hacked, how many of life's issues have far
> greater consequences if handled incorrectly? Yet most of us face them with
> calm nonchalance. Why?
>
> Instinct.
>
> The owner of a business here in Carson City had his web server defaced with
> the "fuck USA" message on the same day that 8000 other sites were also
> defaced. Instinct (and a non-exhaustive forensic analysis) said that this
> client's server was not individually targeted, but rather was part of the
> general automated attack.
>
> We plugged the hole and moved on. Twenty days later, still no apparent
> problem or strange activity on the server. No exhaustive analysis performed.
> No hard drive reformatted. No time wasted.
>
> Thankfully, common sense ruled the day and I didn't try to sell the client
> on whatever would have qualified as a "good move."
>
> --Eric
>
>
>
>
> -----Original Message-----
> From: Devin L. Ganger [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 25, 2001 1:41 PM
> To: Eric Robinson
> Cc: [EMAIL PROTECTED]
> Subject: Re: f**k USA government f**k poizonbox
>
>
> On Fri, May 25, 2001 at 09:24:00AM -0700, Eric Robinson wrote:
>
> > Members of this list who suggest that you should reformat and reinstall
> > after a hacking inicdent are only partially correct. Starting with a clean
> > slate is the only way to be sure you have eliminated your problem if you
> > don't already know the exact nature of the attack. In this case, we do.
> :-)
>
> No, you don't, until you've run the exhaustive forensic analysis. Until
> then, you're guessing. Encouraging people to break one of the foremost
> rules of computer security is just plain bad advice.
>
> If you are diagnosing based on symptoms, then you are putting yourself
> at the mercy of the attackers. You are gambling on their complacency.
>
> Bad move.
>
> --
> Devin L. Ganger <[EMAIL PROTECTED]>
> find / -name *base* -exec chown us:us {} \;
> su -c someone 'export UP_US=thebomb'
> for f in great justice ; do sed -e 's/zig//g' < $f ; done
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
