[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...

Subject: RE: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
From: Rodolfo Paiz <rpaiz@xxxxxxxxxxxxxx>
Date: Sun Mar 4 19:42:39 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Roger,

> Someone with very little *nix experience isn't likely
> to be sucessful in manually restoring a box.

Agreed.

> But, how can you automatically assume that everyone who
> gets hacked and asks for help is totally clueless in this
> regard.

You can't. However, I believe you *can* safely assume that only people
who really and truly have LOTS of experience in *nix security can
"unhack" a machine with a high degree of confidence, and that none of
those people would post a message saying "Gee, I've been hacked, what do
I do?"

Hence the assumption is *not* that someone posting a message asking for
basic help on this subject is totally clueless. The assumption is only
that this person probably does not have enough experience to go this
route; and this is a much more reasonable assumption.

> You may as well give people both options, and then
> let them decide what they want to do, rather than
> stating that the *only* way is to use the restore cd.

I've been programming since 1982, building PC's since 1991, doing
networks since 1993, running ISP NOC's since 1995, and securing stuff
from unauthorized access since that same year. I am not "World Class" or
claiming such, but I do have significant experience in this.

I *would* feel comfortable scanning a system for hacks and removing them
with confidence that I had indeed found all of them. And yet, I've found
that a good backup and a full restore off the CD is *without exception*
the quicker, cheaper, easier way to go. Even now, in my NOC the standard
operating procedure if/when a machine gets hacked (not yet, thank God)
is to:

 * Unplug from network
 * Recreate sites on another machine quickly so at
   least HTTP can be served in the meantime
 * Get back in
 * Try to get backup of temp data like mailspools
   and stuff changed since last night's backup
 * Full restore (repartition, reformat, reinstall)
 * Restore backups

Working full speed and with high-octane coffee, the last machine we had
hacked (about a year ago) took me six hours to restore to virgin status.
No mail was lost since the backup mail server queued it, and HTTP was
served for about 80% of the sites.

Bottom line... you're correct that the CD is not the ONLY way to recover
from a hack. But the more I learn, the more I conclude that it's the
ONLY SAFE way. Anyone who says it's too expensive hasn't done enough
preparation or planning, or is colocating/hosting with the wrong
provider.

> IMO, most people that bother to join this list
> either do have a reasonable amount of *nix
> experience, or are willing to learn. Otherwise
> they probably would've just gone crying to Cobalt
> and asked for help there.

Agreed. But neither "reasonable amount of experience" nor "willing to
learn" are good enough when my livelihood and my reputation and my
customers are on the line.

--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx <mailto:rpaiz@xxxxxxxxxxxxxx>

References:
- Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
  - From: Roger Dunk

Prev by Date: RE: [cobalt-users] other startup services
Next by Date: [cobalt-users] Bind 9.1 or 9?
Previous by thread: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...
Next by thread: Re: [cobalt-users] "Sort of" hacked?? Raq3 with some problems...

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index