Re: please read: very odd network traffic

To: debian-user@lists.debian.org, William Leese <wleese@europe.nl.com>
Subject: Re: please read: very odd network traffic
From: P Kirk <patrick@enterprise-hr.com>
Date: Wed, 8 Aug 2001 09:53:04 +0100
Message-id: <[🔎] 20010808095304.B11178@enterprise.kirks.net>
Mail-followup-to: debian-user@lists.debian.org, William Leese <wleese@europe.nl.com>
In-reply-to: <[🔎] 20010807173940.A3324@doorstop.net>
References: <[🔎] 200108071641.f77GfSD98064@njord.bart.nl> <[🔎] 20010807202939.C5597@enterprise.kirks.net> <[🔎] 20010807173940.A3324@doorstop.net>

>
>No offense intended, but this is some of the WORST advice I've heard on
>this list to date.
>
>If you fear you may have been compromised, by all means, and for the
>love of us all, unplug your network cable at once. If for no other
>reason than this: Your system could possibly be launching attacks at
>other systems unbeknownst to you, for which you can be held legally and
>financially accountable.
>
No offence taken.  Its worth thinking of a bigger picture.  The vast
majority of *nix boxes are servers.  They are production machines and you
simply cannot pull the cable out.  You need time to migrate the service
to a new machine.  I know in an ideal world you'd have backup servers
for each service but most of us tend to have one backup machine that
gets reconfigured when it needs to take the place of a production
machine.  This takes time. You do have time.  As long as the data is
intact and the services the machine is intended to provide are running,
your personal job security is way more important than protecting other
peoples networks.

>Unplug it NOW, and start doing some digging to find out what's really
>
This works for desktop machines.  When you unplug a production machine,
the first thing you lose is time because you have the users, the users
managers, your manager and the office teaboy banging on the machine room
door demanding that their accounts be restored, web-pages put back
online or whatever.  Under those circumstances, opening that door means
you have a busy day on your hands and forget about computers!

>Running a script to repeatedly kill the process will only burn your CPU
>cycles; if indeed the process is "Respawning because it's a trojan" the
>reality of the situation is that other things on your system have been
>tampered with. If there's some recurring process (via cron or something)
>that restarts the app, a better (but still bad) idea would be to stop
>that cron job. IMO, the only acceptable course of action is to pull your
>cables and get down and dirty with some forensics.
>
Its important not to panic.  Take a deep breath.  Assume the worst, that
not just this machine but others are compromised.  In all probability,
its a fellow employee from within the firewall that's done it.  Get your
data back and then reformat the machine.  You have no problem if your
machine stays up and infected while you are getting your data back.  ITs
not your job to protect the Internet.  You will be fired if yo lose data
or deprive your users of an important service.

The most important thing is to get the replacement right.  This can't
happen twice.  

And remember that its a colleague is the most likely bad guy.  Changing
the combination of the keypad on the machine room door is the best form
of defence!


-- 

Patrick "sig free and jouful" Kirk

GSM: +44 7876 560 646
ICQ: 42219699

Reply to:

Follow-Ups:
- Re: please read: very odd network traffic
  - From: Allen Wayne Best <best@atoka-software.com>

References:
- please read: very odd network traffic
  - From: William Leese <wleese@europe.nl.com>
- Re: please read: very odd network traffic
  - From: P Kirk <patrick@enterprise-hr.com>
- Re: please read: very odd network traffic
  - From: Vineet Kumar <debian-user@virtual.doorstop.net>

Prev by Date: Re: triple install -- which bootmanager
Next by Date: Re: Mozilla on win2k :-(
Previous by thread: Re: please read: very odd network traffic
Next by thread: Re: please read: very odd network traffic
Index(es):
- Date
- Thread