-----BEGIN PGP SIGNED MESSAGE-----
At 10:02 AM 5/25/01 -0700, Eric Robinson wrote:
>To prove my point, I just hacked www.cwru.edu and installed a really
>nasty exe-redirected, polymorphic ACK-tunnel-style Trojan running
>invisibly with
This was a silly, unprofessional thing to post to the list and you
should publicly apologize.
There are clearly two schools of thought: On one hand only you seem
to be advocating limited patch-and-trust approach. Anyone
comfortable with your assumption that "stock" sadmind/IIS is at fault
can certainly take your advice to heart and sleep well. Good luck.
OTOH, given the possibility that any system exploited by this attack
could have been attacked by a variant, or because it uses known
vulnerabilities that other, non-automated, attackers may have
exploited the system; the other school recommends re-install from
known-trusted media. Some folks think that CERT provides good
advice, and the document at:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html#E.1
would seem to put them in re-install camp.
(I would welcome a response with a link to a source with CERT's
standing that the patch-and-trust method is the way to go.)
Somewhere in between may fall those who could trust a detailed
examination of the system for attack tracks followed by the
patch-and-trust method. Absent a trustworthy Tripwire run where the
integrity of the data is unimpeachable, I challenge whether anyone
can really trust the system without a re-install.
Of course YMMV and any admin has to make his/her own risk decisions.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: The "Gub'mit" doesn't read your e-mail--you're boring
iQCVAwUBOw8ftvGfiIQsciJtAQELzwP+JsGinm1PCqCLB3+bkYUh/q5xdAUVHYkK
jJ/nUmHWuP36cikz3Lp12jOJd5NmCYU0e1AxE0a2t25sk8Dv7ow3eQ7t4d2T1/Vi
jpQVUbuObrFBa3fFyzYs2yb75k9m181lrbgtnim5l4+3iwjq7wc7QKUMcV4qzdSu
KqCVOrSlVfc=
=3JcB
-----END PGP SIGNATURE-----
--
Regards,
David Kennedy CISSP
Director of Research Services, TruSecure Corp. http://www.trusecure.com
Protect what you connect.
Look both ways before crossing the Net.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
