hi ya
i think that if you leave the attackd box alone..
you have an easier time catching the attacker...
- assuming that is the goal... as it would be
for some of our customers ... catch um red handed..
if you do rebuild the server...and do it from
backup and/or cdrom... you still have the original
exploit installed ... so one has to do things differently
the second time around or else suffer the same exploit
again ...and they do come back again later to check that
you plugged the hole or not..
running tripwire and other ids are good and bad...
- bad because its too late...they got in
- bad to use tripwire..because youdont have the original
version ... tripwire tells you the binary been tampered
- tripwire will flag more false "possible attacks" than
it does in catching the hacker in the act
- good because you MIGHT find them but probably not...
- tripwire typically runs once a day...
- it only takes say 5 minutes to get into the
server and hide yourself..
- to do forensics...you should use known ot be good clean
binaries.... NOT the binaries on the hacked box
different ways for different folks to proceed
before, during and after the attepts and successful hacks
security is a risk and how much time and energy and resources
iand competency you have...vs the attackers... hopefully
one can stay one step ahead ???
c ya
alvin
On Fri, 25 May 2001, patrick kerry wrote:
> Any network person whose systems were compromised in
> the last round of these attacks IS lucky!! Lucky they
> have jobs at all, the security patches for this
> vuneribilty had been out forever - tisk -tisk to
> anyone irresponsible enough to overlook the obvious.
>
> Also, if your system was compromised and you don't
> rebuild the box in question - I wish you luck!!:(
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
