Date: Sat, 17 Mar 2001 02:06:06 -0500 From: Hank Leininger <freebsd-security@progressive-comp.com> To: freebsd-security@FreeBSD.ORG Subject: Re: What's vunerable? Message-ID: <200103170706.CAA08229@mailer.progressive-comp.com>
next in thread | raw e-mail | index | archive | help
On 2001-03-16, Kris Kennaway <kris@obsecurity.org> wrote: > Always be careful trusting the results of automated scanners, because > they can never contain a database of ALL known vulnerabilities, so > your system may have other problems than what's noted there. It may > be useful as a backup to make sure you haven't missed anything, > though. [ I know Kris knows this, just pointing it out... ] s/known//; In particular, as other people have pointed out, if you have any reason to think a box *might* have been compromised, it's not worth your time (if your goal is to get on with life) to do anything but assume it *has* been compromised, and start over. There are too many creative ways that an attacker could have trojan'ed the box once they had free reign for you to ever[*] be sure you've been thorough enough in checking the box out. Once a box falls out of a known-good state, it can't really be put back without starting over, or taking a big chance... [*] A thorough forensic analysis could tell you that the box definitely has been, or probably has not been, compromised. The level of certainty that it hasn't been that you can achieve is directly proportional to how much time (or money) you have to spend on the investigation. Sounds like you have little of either, and don't feel like becoming a forensic expert for the hell of it, so I'd suggest not trying to "prove" to yourself or anyone else that the box(es) are safe, and just replace them/do the rolling rebuilds as have been suggested here. Don't forget to take advantage of this opportunity to remind management how much time and money, in the long run, a proactive approach can save. :-P -- Hank Leininger <hlein@progressive-comp.com> I say we take off, nuke the site from orbit. Only way to be sure. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103170706.CAA08229>