I have to apologize, as I didn't see the original post in my inbox...could someone forward it to me?
> > Now one can't trust somewhat 50% of all Microsoft > Computers. > > you trusted that many before? :) > > Honestly though, it isn't a total writeoff. > > Your data may well have been compromised - so you > need to run a validation > exercise after copying to a clean system but before > even starting a > webserver (or anything that could execute binaries > in your dataset) - > > *Validate and sanity check database-data - > particularly any user/access > lists, and change passwords on any admin accounts. > > *Validate and sanity check static html pages > > * Recompile or upload from trusted sources any > binaries - they can't be > trusted - and validate / sanity check any scripts > > * Ideally, if you have a DEV system that wasn't > compromised (many > organizations do) upload known-clean copies - just > be sure you didn't > backport any scripts or html pages from the "live" > server, nonsensical > though that might sound. > > I am not going to say getting back to a 100% > trustworthy system is going > to be possible in a short term, but you should be > able to have 99% > confidence in your datasets and site pages within a > week. Isn't going to > be cheap (in man hours, but that translates to money > in various ways) > either. > > For the future, consider a bit of diversity and a > decent (DMZing) > firewall; if your boxes don't *have* exposed ports > other than 80, they can > only be compromised by an attack on that port, not > (say) 445. > > Diversity doesn't mean dumping Windows if you are > wed to the platform (ie, > have an existing large investment in it) - but > consider Apache and PHP > rather than IIS and VBScript; they run just fine on > windows, will scale > with the company (so you can upgrade to non-windows > hardware in the future > if you need to) and are more common than IIS anyhow. > > A decent firewall doesn't have to be expensive - for > entry level, you can > use a legacy PC with three network cards (inside, > outside, DMZ) and a > floppy (no hard) drive, then boot the fw with a LEAF > linux such as > Bering - from write protected floppy disks (and get > VPN support and a DNS > server thrown in for free :) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
