Overwhelmed........

[Mark Andrich <MAndrich () PreventBlindness org>]

I just installed Snort on my IIS/Proxy server on Monday. On Tuesday I logged
255 alerts for the unicode exploit. A check of the log file revealed that
our server was attacking another server out on the internet. I've done the
following:

1. Blocked the packets at the router.
2. emailed the other server's admin to let him know what was going on.
(Haven't heard back)
3. Saved a copy of the Snort alert log (unfortunately, I didn't have TCPDump
logging enabled)
4. Combed through my IIS logs and found recent repeated attempts to request
sample, ftp, cgi, and other commonly exploited files (the logs only recorded
the local machine name and not the intruder's IP)
5. Combed the Event logs and found one or two questionable logins to remote
email.
6. Got a disk failure notice, ran chkdsk, and found orphaned files and
unknown allocated space. All deleted/fixed by the chkdsk program (goodbye
forsenics)

There have not been any unicode attempts since yesterday. From what I've
read I'm guessing that my machine was compromised and that the attacker put
some scripts on my machine to run these attacks. I'm also guessing that the
next thing to do, is to wipe the machine clean and re-install everything.
The only problem being having to restore the inetpub directory which may or
may not have been tampered with. So it's:

1. Reinstall from the ground up ensuring that all possible steps are taken
in terms of hardening the OS, following the available security checklists
and applying all necessary patches.

2. After that's complete, change all passwords including system accounts.

3. Continue in my efforts to get a NetBSD box set up between the router and
our Microsoft products.


Is there anything else anyone might suggest or any other options I haven't
explored? Am I thinking correctly? Anything else to look for?

Thanks,

Mark