Re: Centos 5.3 -> Apache - Under Attack ? Oh hell....

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, 2009-06-03 at 01:57 -0400, JohnS wrote:
> On Wed, 2009-06-03 at 00:46 -0500, John R. Dennison wrote:
> > On Wed, Jun 03, 2009 at 12:30:10AM -0500, Neil Aggarwal wrote:
> > > 
> > > It would be prudent to review his web code to see
> > > if he did something in an insecure way.  If his code
> > > is open to attack, it will be so even if he puts it
> > > on a new machine.
> > 
> > 	Hence my statements to evaluate the web-apps he has running :)
> > 
> > 	I will bet dollars to donuts he had a web app with a known issue
> > 	that was not patched.  Also goes back to my previous statement
> > 	of fully patching.
> > 
> ---
> Dollars to Donuts ehhh???
> How many donuts you think it will take to pay for legal costs and clean
> up if there are customer data on the machine? I think right about now I
> would:
> 1. Notify Risk Management and Your Compliancy Officer.
> 2. Take it off the network connections.
> 3. Do a live rsync and dd image + ram copy = running processes/hidden.
> 4. Same as 3. but with the machine off.
> 5. The company attorney needs to be notified.
> 6. By State and Federal Law in the US you have so many days to report
> incidents like this to users (customers) and law enforcement.

If, by step 4, you mean remove the drive[1], stick it into USB
enclosure, make a copy of it, then stick the original into a plastic bag
in full view of a witness[2] then give it to them, I agree
wholeheartedly[3].  I've been through this before and this is, IMHO[4] a
safer way to operate.

	-I

[1] Assuming no RAID.  If you have RAID, you can go to a separate box
and make a live backup via:
	goodhost# ssh badhost '(cat /dev/sda)' > badhost-sda.ddout
[2] Your manager or corporate counsel will do in this example.  Better
if its both.
[3] This does *NOT* constitute legal advice.  Talk to your corporate
counsel before taking action, as this may constitute a criminal matter.
[4] See [3] above.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux