Re: user account compromise?

[Joe St Sauver <joe () OREGON UOREGON EDU>]

Hi Jake,

#Beginning around 5:30pm yesterday, SPAM messages were sent from a student's
#user account. The student claims to not know what is happening.. and I think
#believe him.  He actually sent an email about the problem to our helpdesk at 1
#am because he was getting so many delayed delivery and NDR messages. We are
#still examining his laptop.
#
#So far my assumption is that his account was compromised as copies of the
#message are actually in his sent items and drafts folders.  Anyone disagree
#with that assumption?  Sounds like a ludicrous question but is there any way I
#can track who was using his account?

There has been an uptick in spam sent via compromised accounts nationally
lately; common compromise vectors are either weak passwords being brute
forced, or passwords being phished (for example, did the student recently
reply to a message "from you" asking him to verify his password?)

When it comes to tracking who may have been accessing his account, that's
going to be a function of a couple of things:

-- Do all your server's logs just show activity from the laptop? Or,
   once the users credentials were obtained, did they log on directly
   from somewhere else? (Eastern Europe, the far east, Nigeria, whatever?)
   Or are all the logins via random broadband hosts (which are probably
   botted consumer PCs)?

-- Are you seeing any sort of malware on the laptop? If so, do you
   have flow data for your network, so you can potentially see who is
   talking to that host inbound?

#Also, I am unsure how to respond to the situation and no applicable policies
#are in place.  Should campus departments or otherwise be notified of the
#compromise?  Any non-internal legal ramifications here, i.e. I am getting many
#responses from users who received the message.  Should I reply to them?  Does
#that imply that we claim responsibility?  Should I mention that it actually
#was our fault when I try to get off the blacklists we are already on?

I would suggest:

-- confirm that you have voluntary permission from the student, then
   image the laptop before doing any work on it to preserve the chain
   of custody and avoid destroying any evidence, both for forensic
   purposes and in case you find something that will let you drop
   the hammer on these guys with law enforcement

-- assuming you believe the student, and I probably would in this case,
   after the evidence has been preserved get the student system
   reinstalled/restored from backups (or if that's impracticable, maybe
   you'll get lucky with traditional A/V tools, but I wouldn't
   guarantee everything will be 100% clean and 100% stable, particularly
   if you find multiple infections

   that's also a great time to make sure patches are applied, etc.

-- make sure the student's password has been changed, and I'd also
   probe for any other accounts that may have that same password --
   if there are any, fix those as well (assuming the student had
   shell access on a unix host, be sure to also check for any
   unusual files, tampered file permissions, cron'd badness, etc.

-- I'd respond to the complaints, explaining that the incident is
   being handled

-- I'd probably also check Senderbase to make sure you're not
   widely blocked on Spamhaus, or whatever. (You can search
   Senderbase by domain or netblock, for example)

Hope this helps,

Regards,

Joe St Sauver (joe () oregon uoregon edu)
http://www.uoregon.edu/~joe/

P.S. You may also be able to glean interesting bits of
information from the backscatter or copies of the messages
you found on the account -- one good step is to check to
see if any spamvertised URLs are listed on the SURBL;
if they aren't, help your spammy "friend" by submitting
them (see http://www.rulesemporium.com/cgi-bin/uribl.cgi )