From: Scott Fuhriman (fuhrimans@llix.net)
Date: Mon Jul 25 2005 - 17:10:05 EDT
I will elaborate a little more with the additional info you have provided
about already having identified the application.
If you are doing a pen-test for a customer the first thing you should do is
let them know. It is not good practice to identify a potential security
breach that a customer has and wait to tell them after you are finished with
a full report. Then let them take the appropriate action necessary as
dictated by their security program/procedures.
Otherwise, if this is your organization you should follow the policies and
procedures established. Most likely these don't exist or you wouldn't be
asking the question. The following is not a fully extensive detailed
description of the forensics and incident response process as it would take
far too much to explain. Don't be trapped into thinking the answer is
simply to delete the application and continue operating, remember if there
are other machines infected this one could become infected again.
First, the biggest question that has to be asked is if this application is
malicious or something intended and you are just not in the know about a
special configuration within the organization. If this is malicious, the
issue needs to be reported to management with the first set of decisions
that needs to be made. This decision is as to whether the organization
wants/needs to spend the time and money to perform a forensics analysis on
the machine to identify how the breach occurred and the extent of the
breach, or due to budget and time constraints wipe the machine completely
and rebuild from scratch. Again, if rebuilding isn't an option then you
need...
Second, to compliment the first decision management must decide if they want
to potentially pursue this in a legal fashion. This decision has far
reaching effects because it determines how you must go about collecting
information as evidence. When this becomes a forensics investigation,
normal IT staff are not the best people to perform these activities unless
they have had the proper forensics training.
Next, if it has been decided to further analyze the incident, you need to
identify the manner of compromise (again unless you know for certain that no
legal action will be taken, you should begin forensics procedures because
you may not know until after the fact that litigation is desired by
management). How did it occur? When did it occur? How to recreate the
activities that led up to the security incident? Are there other things
running that we are not aware of? What is the worm, and what are it's
intentions? Are there any other malicious things the worm is known for (key
logging, backdoors, etc...)? How is the worm/virus/trojan spreading?
Finally, if you have reached this stage you should have enough information
to make an informative decision as to how to mitigate the incident and
whether the machine(s) need to be wiped and rebuilt, or simply cleaned and
use can continue. If the latter is decided upon, again remember that the
only way to be 100% confident is to wipe the machine and change any and all
passwords stored/used on the machine as the person compromising the machine
may have compromised all or any of them and could simply use them to re-gain
access. Or it may have been an internal employee or IT staff member, which
may be unlikely in this case as it does appear to be a worm.
Hope that gives you a better understanding of what is ahead of you and the
decisions needing to be made. Remember if you have not been trained in
forensics analysis and investigation, you should seek someone with that
skill set and not make the mistakes that would be made otherwise.
Scott Fuhriman
-----Original Message-----
From: thenightweighsheavy@gmail.com [mailto:thenightweighsheavy@gmail.com]
Sent: Monday, July 25, 2005 11:44 AM
To: pen-test@securityfocus.com
Subject: Re: Unknown App
Hi,
Thanks for all of the great responses; however, I think I phrased the
original email poorly. What I was getting at was how to approach this
application that has opened port 80 - but not as a web listener. I.e., the
usual approaches to pen-testing a web server are not applicable. I have
identified the offending application, what I'm curious to know is how the
list would approach this find.
Golden Earring
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:38 EDT