On Wed, 2009-06-03 at 01:57 -0400, JohnS wrote:
On Wed, 2009-06-03 at 00:46 -0500, John R. Dennison wrote:
On Wed, Jun 03, 2009 at 12:30:10AM -0500, Neil Aggarwal wrote:
It would be prudent to review his web code to see if he did something in an insecure way. If his code is open to attack, it will be so even if he puts it on a new machine.
Hence my statements to evaluate the web-apps he has running :)
I will bet dollars to donuts he had a web app with a known issue that was not patched. Also goes back to my previous statement of fully patching.
Dollars to Donuts ehhh??? How many donuts you think it will take to pay for legal costs and clean up if there are customer data on the machine? I think right about now I would:
- Notify Risk Management and Your Compliancy Officer.
- Take it off the network connections.
- Do a live rsync and dd image + ram copy = running processes/hidden.
- Same as 3. but with the machine off.
- The company attorney needs to be notified.
- By State and Federal Law in the US you have so many days to report
incidents like this to users (customers) and law enforcement.
If, by step 4, you mean remove the drive[1], stick it into USB enclosure, make a copy of it, then stick the original into a plastic bag in full view of a witness[2] then give it to them, I agree wholeheartedly[3]. I've been through this before and this is, IMHO[4] a safer way to operate.
-I
[1] Assuming no RAID. If you have RAID, you can go to a separate box and make a live backup via: goodhost# ssh badhost '(cat /dev/sda)' > badhost-sda.ddout [2] Your manager or corporate counsel will do in this example. Better if its both. [3] This does *NOT* constitute legal advice. Talk to your corporate counsel before taking action, as this may constitute a criminal matter. [4] See [3] above.