Re: Re: Is my system compromised
hi ya
On Sun, 5 Feb 2006 grey@dmiyu.org wrote:
> > ... and spend
> > another week or month to harden and verify all the all configs
> > and user info ( i say, if you're "doing it right", it will tke you
> > about 3 days to a week to harden the new box and verify it )
>
> Personally I spend about 2-3 minutes doing this. It's called regular
> backups of /etc and other key locations of configuration data. Pull a
> copy prior to the compromise.
obviously i can spend the same 2-3 minutes doing exactly that too,
but you're missing the point that one can spend a week to harden the
server and verify that its been hardened ... the more paranoid you
are, the more time will be required to harden the server...
how much time you spend to protect data and systems is a matter
of choice or do whats normal vs do more than the average bear
> Backup data areas, not areas in the path? Just a thought.
not always reality ... and there's dozens of problems since
users themself create scripts and that is usually the problem
vs a well defined security policy for the system before users
fiddle with it
> > the trick is that you know how to verify the binaries, the libraries
> > and the directory tree ... and can find what is NOT supposed to be there
>
> Which is extremely hard to do on a compromised system where the basic
> tools you rely on to detect such things have been modified to hide the
> very things you're looking for.
that depends on if you're silly enuff to use the binaries on the
cracked box or not and/or if you can legitamately verify it
in the dozen different ways to the forensics
- once you power off, you're dead ... in that you;ll
never find the good pieces of cracker info still in memory
c ya
alvin
Reply to: