Hacker News new | ask | show | jobs
by midas007 4426 days ago
TL;DR: If owned, start from a fresh base system.

I think you meant "someone gets privileged code execution," which is a sensible assumption. Even still, app-permission (less than privileged) code execution can still do damage like host malware, IRC dumpsites/bot control, diodes, tor relays, vandalize web properties, etc.

The only way to know that a system is no longer owned for certain is to reimage it to a known good state. Doing anything less is tons of work, and unlikely to catch everything (rootkits, backdoors, hidden services, replaced system files, etc.). Even when running HIDS, HIDS cant be trusted because rootkits can hide things from it because it's running from the system with a possibly infected kernel. So, it turns out reimaging is less work and more trustworthy if the box is rebuilt and the 'sploit can be mitigated before bringing it online to the outside world (build and patch offline to avoid getting re-owned).
2 comments
_asciiker_ 4425 days ago
While I agree in principle that when owned one should start from scratch, my advice would be to learn something. Often I am asked to analyse attacks and I now have a collection of about 15 malware scripts that not only show me the intent but they are also useful (and remarkably well coded) for my daily admin tasks.

So, fresh start but at least get something out of it!

link
midas007 4425 days ago
"and the 'sploit can be mitigated before bringing it online to the outside world"

You should read more carefully.

Also, keeping people waiting without an ETA for a down service because you're learning isn't going to result in happy customers.

Furthermore, whomever is running these boxes needs to deploy NIDS and HIDS and properly secure their boxes, because clearly they don't understand what an attack surface is.

link
tptacek 4425 days ago
Yes, whatever your security problem is, I'm sure some NIDS will clear it right up.
link
midas007 4425 days ago
What a flippant, uncivilized, unconstructive comment.

Defense in-depth, every little bit helps.

link
tptacek 4425 days ago
Disagree, both in spirit and to the letter; for starters, I'm pretty sure there's still validity in a very long blog post I wrote about NIDS back in 1998:

http://insecure.org/stf/secnet_ids/secnet_ids.html

People running SAAS apps probably shouldn't waste much time with NIDS.

link
fyrabanks 4425 days ago
I'd assume s/he would isolate that machine for post-mortem and spin up a new service on a different box, unless we're talking poverty IT.
link
wglb 4425 days ago
I think he said it precisely as he meant it.
link