On Wed, 2009-06-03 at 01:57 -0400, JohnS wrote:
> On Wed, 2009-06-03 at 00:46 -0500, John R. Dennison wrote:
> > On Wed, Jun 03, 2009 at 12:30:10AM -0500, Neil Aggarwal wrote:
> > >
> > > It would be prudent to review his web code to see
> > > if he did something in an insecure way. If his code
> > > is open to attack, it will be so even if he puts it
> > > on a new machine.
> >
> > Hence my statements to evaluate the web-apps he has running :)
> >
> > I will bet dollars to donuts he had a web app with a known issue
> > that was not patched. Also goes back to my previous statement
> > of fully patching.
> >
> ---
> Dollars to Donuts ehhh???
> How many donuts you think it will take to pay for legal costs and clean
> up if there are customer data on the machine? I think right about now I
> would:
> 1. Notify Risk Management and Your Compliancy Officer.
> 2. Take it off the network connections.
> 3. Do a live rsync and dd image + ram copy = running processes/hidden.
> 4. Same as 3. but with the machine off.
> 5. The company attorney needs to be notified.
> 6. By State and Federal Law in the US you have so many days to report
> incidents like this to users (customers) and law enforcement.
If, by step 4, you mean remove the drive[1], stick it into USB
enclosure, make a copy of it, then stick the original into a plastic bag
in full view of a witness[2] then give it to them, I agree
wholeheartedly[3]. I've been through this before and this is, IMHO[4] a
safer way to operate.
-I
[1] Assuming no RAID. If you have RAID, you can go to a separate box
and make a live backup via:
goodhost# ssh badhost '(cat /dev/sda)' > badhost-sda.ddout
[2] Your manager or corporate counsel will do in this example. Better
if its both.
[3] This does *NOT* constitute legal advice. Talk to your corporate
counsel before taking action, as this may constitute a criminal matter.
[4] See [3] above.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
