Security Basics mailing list archives
Re: compromised network
From: Christos Gioran <himicos () freemail gr>
Date: Tue, 30 Dec 2003 01:17:24 +0200
On Friday 26 December 2003 21:21, Dana Rawson wrote:
Not sure where to start except by saying that my servers and router were compromised. Have locked down both servers and routers (at least I have attempted to do so) but what is the best way to verify that there is nothing rogue left active on the servers? Also, is there any legal action
Take off-line, format, reinstall from verified media and restore data from sure-to-be-clean backups. Your greatest problem right now is that you cannot trust your system. Any binary can be (and probably has been) modified to a trojan version and even the kernel itself (in the case of *nix) is prone to Loadable Kernel Modules like adore. In the latter case, even if you use statically compiled binaries from verified media, you cannot tell for sure what is going on in there. All these are part of a good rootkit, a standard tool for any attacker. Using a sniffer can reveal some info as you probably know what traffic is normal for your network and anything beyond that is automatically suspicious and should be looked into. If, for example, you notice lots of traffic to a non-normally-used port, then probably "evil" processes are running and accepting connections serving files or whatever. Note the IP of the serving machine and investigate further. Tapping the network traffic should be done from a certainly clean machine to be sure that what you see is true (refer to the previous paragraph). Document your actions and make sure no info is altered. All work should be done in a system created as a mirror to the one originally infected. That is because electronic evidence should not be tampered with in order to stand in court and any modifications you make to access time of files etc make the system even less useable. Good Luck! -- himicos --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- compromised network Dana Rawson (Dec 29)
- RE: compromised network Raoul Armfield (Dec 29)
- Re: compromised network Alvin Oga (Dec 30)
- RE: compromised network Yvan Boily (Dec 31)
- Re: compromised network Alvin Oga (Dec 30)
- RE: compromised network Glenn Pearl (Dec 29)
- Re: compromised network erisk (Dec 30)
- Re: compromised network Jason Coombs (Dec 31)
- Re: compromised network Meritt James (Dec 31)
- Re: compromised network erisk (Dec 30)
- Re: compromised network Lard van den Berg (Dec 30)
- Re: compromised network Christos Gioran (Dec 30)
- RE: compromised network JM (Dec 30)
- Re: compromised network DT - Paulo Santos (Dec 30)
- <Possible follow-ups>
- RE: compromised network Francisco Mário Ferreira Custódio (Dec 29)
- Re: compromised network Meritt James (Dec 29)
- RE: compromised network Angus (Dec 29)
- Re: compromised network jamesworld (Dec 30)
- Re: compromised network H Carvey (Dec 31)
- RE: compromised network Raoul Armfield (Dec 29)