--- On May 10, 2011, Dobbins, Roland <[email protected]> escreveu: > On May 10, 2011, at 10:56 PM, Bruno > Cesar Moreira de Souza wrote: > > > If the compromised server is not behind a stateful > firewall, it will be easier to create a tunnel to access > unauthorised ports (such as database network services) and > attack other servers. > > > That's untrue if even the most basic BCPs for crafting and > enforcing network access policies have been followed. > Plus, the moment the httpd stops working, that should ring > alarm bells via even the most basic NMS/OSS monitoring.
How would you block an ACK tunnel using only a packet filter? (http://ntsecurity.nu/papers/acktunneling/) You don't need to stop the httpd service to create this kind of tunnel, as the packets from the attacker would just be ignored by the httpd service, but could be intercepted by the malicious code executed on the compromised server (using the same approach employed by network sniffers). > > > Even if the exploited vulnerability is fixed in a > short time, the attacker will still be able to easily > control the compromised server. > > Not if it's taken offline and scrubbed down to the bare > metal, as should be routine after a compromise. > This is true IF the compromise was detected. I'm talking about the common case when the compromise is not detected, but after some time the vulnerability is fixed (for example, through patching). If the attacker installed a backdoor in the compromised server, which uses a convert channel through your packet filter, then you may not detect the problem for a long time. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
