[GLLUG] meeting idea?

[Charles Ulrich]

Thomas Hruska wrote:
> It really depends on how good you are at recovery scenarios.  However, a 
> lot of people don't have a plan or can't formulate one and start 
> executing it in five minutes.  Some backdoor might also be programmed to 
> start overwriting random files if it can't connect to a remote host for 
> some set amount of time...causing damage to files and data if you don't 
> start doing things right away.  Most systems have critical data that has 
> to be gotten off the drive and people have this preference that their 
> data remain intact.  If the computer is off, no program can be running 
> that could destroy data.  Weigh your risks between losing data and 
> discovering every last detail of the malware.  Once you have a detailed 
> plan laid out (on paper) for the compromised computer, it becomes a lot 
> easier to get up and running again.

In my book, the only *proper* way to deal with a compromised machine is 
to find out how they got in, close that hole ASAP, and then wipe the 
disks and reinstall from scratch. Hopefully, you have good backups from 
before the machine was compromised, because trying to pull data off a 
cracked system is not a good idea unless you have a way to easily verify 
the integrity of the data. Granted, most crackers take over machines 
solely to launch attacks on yet more systems, but you never can be sure.

-- 
Charles Ulrich
Ideal Solution, LLC -- http://www.idealso.com