Security Basics mailing list archives
Re: compromised network
From: "erisk" <erisk () iinet net au>
Date: Tue, 30 Dec 2003 13:34:19 +0800
This might through some flame into the group but I would disagree with most peoples responses here.. Firstly do you have formailsed Incident respone plan? If so follow that to the letter..Secondly you should, for legal reasons, contact a forensic specialist to image the hard drives, capture packets etc, before wiping all you data and consult him for further advice (if your company has the budget). After this has been all then follow standard hardening procedures... ----- Original Message ----- From: "Glenn Pearl" <glennp () datasync com> To: "'Dana Rawson'" <absolutezero273c () nzoomail com>; <security-basics () securityfocus com> Sent: Tuesday, December 30, 2003 2:10 AM Subject: RE: compromised network
The only way to really know that your systems are clean is to start over - reformat the hard drives, reinstall apps securely and restore data from backup. Do not allow any access to the boxes until you have completely locked them down. I am in the process of teaching myself these very steps. I'm using Windows 2000 and IIS 5, and working with the NSA Windows 2000 security guides and policy templates in combination with Stefan Norberg's "Securing Windows NT/2000 Servers for the Internet" (O'Reilly) and tons of notes courtesy these Security Focus lists (thanks, everybody!) and articles and Google. I'm also learning how to use scanning tools and IDS such as nmap, nessus, snort, etc. Legal action - I'm sure there are others on this list who are far more helpful than I at answering that one. Personally, I wouldn't waste any time with it or tracking the intruders via ethereal, and instead focus on lessening the chance of such compromises in the future. Search the list archives and GooGroups for info on firewalls, proxies, IDS... Glenn Pearl-----Original Message----- From: Dana Rawson [mailto:absolutezero273c () nzoomail com] Sent: Friday, December 26, 2003 1:22 PM To: security-basics () securityfocus com Subject: compromised network Not sure where to start except by saying that my servers and routerwere compromised. Havelocked down both servers and routers (at least I have attempted to doso) but what is the bestway to verify that there is nothing rogue left active on the servers?Also, is there any legal actionI should take (i.e. Do I alert any authorities)? It appears that mynetwork was targeted by aserver in california and individuals from Australia, Netherlands andthe US were connecting usingit as an ftp server. Was actually named "Revenge Server". I just installed Ethereal and am currently capturing packets but amnot really sure how to readthis or if there is any easier way to monitor all things. ...And toactually know how to read it.Will I be able to retrieve ip addresses from packets to match activityon my syslog and identifyrogue traffic? This is all new to me so I apologize if my questions don't make senseor my approach is illogical.------------------------------------------------------------------------ --------------------------------------------------------------------------- ---- --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- compromised network Dana Rawson (Dec 29)
- RE: compromised network Raoul Armfield (Dec 29)
- Re: compromised network Alvin Oga (Dec 30)
- RE: compromised network Yvan Boily (Dec 31)
- Re: compromised network Alvin Oga (Dec 30)
- RE: compromised network Glenn Pearl (Dec 29)
- Re: compromised network erisk (Dec 30)
- Re: compromised network Jason Coombs (Dec 31)
- Re: compromised network Meritt James (Dec 31)
- Re: compromised network erisk (Dec 30)
- Re: compromised network Lard van den Berg (Dec 30)
- Re: compromised network Christos Gioran (Dec 30)
- RE: compromised network JM (Dec 30)
- Re: compromised network DT - Paulo Santos (Dec 30)
- <Possible follow-ups>
- RE: compromised network Francisco Mário Ferreira Custódio (Dec 29)
- Re: compromised network Meritt James (Dec 29)
- RE: compromised network Angus (Dec 29)
- Re: compromised network jamesworld (Dec 30)
(Thread continues...)
- RE: compromised network Raoul Armfield (Dec 29)