[154193] in North American Network Operators' Group
Re: DNS poisoning at Google?
daemon@ATHENA.MIT.EDU (AP NANOG)
Wed Jun 27 11:06:35 2012
Date: Wed, 27 Jun 2012 11:05:07 -0400
From: AP NANOG <nanog@armoredpackets.com>
To: nanog@nanog.org
In-Reply-To: <83A6778F-CFB7-4781-8B29-1CA6ECA8938B@oitc.com>
Reply-To: nanog@armoredpackets.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This may not help Matt now, but I just came across this today and
believe it may help others who have to deal with incidents:
http://cert.societegenerale.com/en/publications.html --> "IRM (Incident
Response Methodologies)"
If you changed the file contents before noting the created date,
modified date, etc. then begin looking at your backups. This date will
then help you track down the log entries and finally lead you to the
root cause.
Also, if possible, please post the culprit code that caused this,
exif'ing the sensitive data of course :-)
--
Thank you,
Robert Miller
http://www.armoredpackets.com
Twitter: @arch3angel
On 6/27/12 7:50 AM, TR Shaw wrote:
> On Jun 27, 2012, at 3:36 AM, Michael J Wise wrote:
>
>> On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:
>>
>>> We found the aberrant .htaccess file and have removed it. What a mess!
>>
>> Trusting you carefully noted the date/time stamp before removing it, as that's an important bit of forensics.
> And done forget there is a trail on that file on your backups.
>
> Tom
>
>
>
