Friday, December 16, 2005

Knowing what's on your box...

Do you know what is running on your boxes? Really...are you sure? I was handling an incident today where a machine was compromised through a unnamed database running that was part of a terminal server application. The whole time I am investigating the compromise I was wondering if they knew the DB was running, and if so, did they think about whether or not it needed to be externally accessible and did they think that maybe it would need to be updated. Heck, maybe they thought the vendor who was using the DB would be responsible and provide updates to it. Beats me. As an incident handler, I don't always get my hands on the boxen that get 0wN3d. I get to provide the network forensic data proving it was compromised so that the system administrator can deal with it appropriately.

On a related note, the first alpha release of Metasploit was released yesterday. It is now based on the Ruby programming language which a friend of mine referred to as being as simple as writing pseudocode. I plan on checking it out as it may be applicable the the private hacking challenge I am working on. The whole point of this paragraph is that I was wondering if the release might have be why we saw the DB get exploited today. I haven't bothered checking all the new sploitz included in the the alpha release, but I can tell you that last year's big release caused a two immediate compromises of servers running the Veritas Backup Exec agent.

That's enough for now. I have to run home to get ready for a party that is an hour and a half away. I know I promised my lists of podcasts today but that will either have to wait until after the party or maybe later this weekend. TGIF!

No comments: