[9320] in bugtraq
Re: No Security is Bad Security:
daemon@ATHENA.MIT.EDU (Kevin Day)
Wed Feb 3 11:14:51 1999
Date: Wed, 3 Feb 1999 01:50:20 -0600
Reply-To: Kevin Day <toasty@HOME.DRAGONDATA.COM>
From: Kevin Day <toasty@HOME.DRAGONDATA.COM>
X-To: jjasen1@UMBC.EDU
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.04.9902021820520.24338-100000@linuxbeta.gl.umbc.edu>
from "John \"E.R.\" Jasen" at "Feb 2, 1999 6:24:25 pm"
>
> Mistakes Made in Incidence Response:
> -----------------------------------
>
> 1) Don't log in as root on a machine that most likely has been
> compromised. Bsd things can happen.
>
> 2) Don't go around blithely executing binaries. (I feel rather stupid
> about that)
>
> 3) Do *immediately* take the machine offline, and mount the disks on
> another system for analysis.
If mounting on another system, and your OS supports it, mount with the
'noexec' option, to make sure you don't accidently infect another system, as
well as the rdonly flag to make sure you don't damage evidence. You may also
want to consider 'noatime', to keep things really pristine, if you don't go
'ro'.
noexec Do not allow execution of any binaries on the mounted
file system. This option is useful for a server that has
file systems containing binaries for architectures other
than its own.
Kevin
