[122950] in North American Network Operators' Group
RE: Security Guideance
daemon@ATHENA.MIT.EDU (Joe)
Tue Feb 23 17:47:35 2010
From: "Joe" <jbfixurpc@gmail.com>
To: "'nanOG list'" <nanog@nanog.org>
Date: Tue, 23 Feb 2010 17:47:00 -0500
In-Reply-To: <C1332813-516D-45BC-B881-19F9359A3099@daork.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Just figured I might add a little direction to this.
1. If its a production system that impacts several users/customers your =
best
bet would be to rebuild the system from scratch, not an image. Yes takes
time, but investigating it will likely take longer. As you previously
mentioned the folk(s) that were in-charge of the system are no longer in
that capacity which could (depending on the "craftiness" of them) could =
have
left an intentional (or not) exploit now plaguing you.
2. If your intent on finding a root cause you will probably need to =
spend
quite a bit of time and caution investigating the said system. As soon =
as
theres mention of a "rootkit" everything is suspect, i.e. ls might not =
be
ls, df may not be df. Might be worth adding the volume to a known good
system mounting it and comparing the image/structure and said files. But =
of
course as I mentioned above, if its a critical system then your kind of
stuck with an aggressive time line so...
Obviously an IDP will mask the issue, but won't fix it.=20
Good luck
-Joe Blanchard
