Re: please read: very odd network traffic

[P Kirk <patrick@enterprise-hr.com>]

On  0, Allen Wayne Best <best@atoka-software.com> wrote:
>On Wednesday 08 August 2001 01:53, P Kirk pronounced:
>> >
>> >No offense intended, but this is some of the WORST advice I've heard on
>> >this list to date.
>> >
>> >If you fear you may have been compromised, by all means, and for the
>> >love of us all, unplug your network cable at once. If for no other
>> >reason than this: Your system could possibly be launching attacks at
>> >other systems unbeknownst to you, for which you can be held legally and
>> >financially accountable.
>> >
>> No offence taken.  Its worth thinking of a bigger picture.  The vast
>> majority of *nix boxes are servers.  They are production machines and you
>> simply cannot pull the cable out.  You need time to migrate the service
>> to a new machine.  I know in an ideal world you'd have backup servers
>> for each service but most of us tend to have one backup machine that
>> gets reconfigured when it needs to take the place of a production
>> machine.  This takes time. You do have time.  As long as the data is
>> intact and the services the machine is intended to provide are running,
>> your personal job security is way more important than protecting other
>> peoples networks.
>> 
>> >Unplug it NOW, and start doing some digging to find out what's really
>
>UNPLUG IT NOW! that is still the most important advice. and this is even more 
>important in a production environment. the last thing you want is to have a 
>server, no matter how important, spreading viruses. the job security 
>questions are more likely going to be who allowed it to happen in first place 
>and why wasn't it taken out of the networked!
>
>my $.02 worth.
>
Actually the last thing you want is lost data. So recover your data now.
Then list what the machine does and build the replacement.  Ideally this
should be as simple as turning on some daemons and restoring data onto
the new machine.  It may take some time.  But do that first because its
very hard to do when the users are pounding on your door.  And users do
pound on the door when a server goes offline.  Put the replacement in
place, take your machine down and then your can do as you please.

When it happened with the BSD box, it was a mail server for an ISP.  The
IT guys did want to pull the plug but since it was clearly one of them
had done it, we sent them home, had the IT manager build a replacement
and migrate the mail over.  It took 2 days mainly because we had to buy
kit. The kill scripts meant that only smtp and pop were available.

I really don't see how pulling a few thousand email accounts and having
the owners charging in demanding action would have helped.  IT is about
data and services.  Crackers and viruses are a nuisance.  Preventing
them is good housekeeping.  But its not your job...your job is to keep
data safe and services available.

As for job security, we fired 2 IT guys, changed the passwords and door
combinations and i got a pay rise out of it :-)


capacity in the