Re: compromised network

[Christos Gioran <himicos () freemail gr>]

On Friday 26 December 2003 21:21, Dana Rawson wrote:
> Not sure where to start except by saying that my servers and router were
> compromised.  Have locked down both servers and routers (at least I have
> attempted to do so) but what is the best way to verify that there is
> nothing rogue left active on the servers?  Also, is there any legal action

Take off-line, format, reinstall from verified media and restore data from 
sure-to-be-clean backups.

Your greatest problem right now is that you cannot trust your system. Any 
binary can be (and probably has been) modified to a trojan version and even 
the kernel itself (in the case of *nix) is prone to Loadable Kernel Modules 
like adore. In the latter case, even if you use statically compiled binaries 
from verified media, you cannot tell for sure what is going on in there. All 
these are part of a good rootkit, a standard tool for any attacker. 

Using a sniffer can reveal some info as you probably know what traffic is 
normal for your network and anything beyond that is automatically suspicious 
and should be looked into. If, for example, you notice lots of traffic to a 
non-normally-used port, then probably "evil" processes are running and 
accepting connections serving files or whatever. Note the IP of the serving 
machine and investigate further. Tapping the network traffic should be done 
from a certainly clean machine to be sure that what you see is true (refer to 
the previous paragraph).

Document your actions and make sure no info is altered. All work should be 
done in a system created as a mirror to the one originally infected. That is 
because electronic evidence should not be tampered with in order to stand in 
court and any modifications you make to access time of files etc make the 
system even less useable.

Good Luck!
-- 
himicos

---------------------------------------------------------------------------
----------------------------------------------------------------------------