Security Basics mailing list archives
RE: compromised network
From: Francisco Mário Ferreira Custódio <fcustodio () eda pt>
Date: Mon, 29 Dec 2003 16:30:39 -0100
Hello Dana. All questions make sense! If your network has been compromised, you should alert the authorities. You should collect as much informations as possible in order to track the bad guys. According to your e-mail...it looks like the bad guys used your systems to make a dump site. It seems you have been attacked by some "warez" freaks trying to get space for dumping files. To check for any rogue stuff, you should check all the processes running on each box, you should check the traffic for layer 4 information (tcp/udp packets and ports) to figure out what's running in and out. Finnaly you should check for layer 3 information (Ip addresses) destinations and origins, check for suspicious IP addresses. Ethereal provides you useful information, when you finnish your captures..Ethereal organizes the packets in a very reading friendky way. You can see all the information I was talking. Check all this informations with your syslog. You will be doing forensics work at this time. I strongly advise you to deploy a Network IDS (Snort is a good choice). The nIDS will alert you of any suspicious activity within your network. Good luck. FC -----Original Message----- From: Dana Rawson [mailto:absolutezero273c () nzoomail com] Sent: sexta-feira, 26 de Dezembro de 2003 18:22 To: security-basics () securityfocus com Subject: compromised network Not sure where to start except by saying that my servers and router were compromised. Have locked down both servers and routers (at least I have attempted to do so) but what is the best way to verify that there is nothing rogue left active on the servers? Also, is there any legal action I should take (i.e. Do I alert any authorities)? It appears that my network was targeted by a server in california and individuals from Australia, Netherlands and the US were connecting using it as an ftp server. Was actually named "Revenge Server". I just installed Ethereal and am currently capturing packets but am not really sure how to read this or if there is any easier way to monitor all things. ...And to actually know how to read it. Will I be able to retrieve ip addresses from packets to match activity on my syslog and identify rogue traffic? This is all new to me so I apologize if my questions don't make sense or my approach is illogical. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: compromised network, (continued)
- Re: compromised network Alvin Oga (Dec 30)
- RE: compromised network Yvan Boily (Dec 31)
- Re: compromised network Alvin Oga (Dec 30)
- RE: compromised network Glenn Pearl (Dec 29)
- Re: compromised network erisk (Dec 30)
- Re: compromised network Jason Coombs (Dec 31)
- Re: compromised network Meritt James (Dec 31)
- Re: compromised network erisk (Dec 30)
- Re: compromised network Lard van den Berg (Dec 30)
- Re: compromised network Christos Gioran (Dec 30)
- RE: compromised network JM (Dec 30)
- Re: compromised network DT - Paulo Santos (Dec 30)
- RE: compromised network Francisco Mário Ferreira Custódio (Dec 29)
- Re: compromised network Meritt James (Dec 29)
- RE: compromised network Angus (Dec 29)
- Re: compromised network jamesworld (Dec 30)
- Re: compromised network H Carvey (Dec 31)