Re: Hacked using vulnerable FTP daemon. -- next steps

[Paul Tan <paul.tan () embrace com>]

Hi again,

               We suspect it is a disgrunted ex-employee who did this, 
because after more forensics, this particular cracker had posted some 
strong words directed to a particular someone on the company's web 
server. He got first in on Sept 22, then proceeded to download some 
binaries (eg. su.c bsd.c ftp-god.c remv ,etc....) from a ftp host in 
indonesia. He tried to use one of these scripts to remove entries from 
utmp. but i managed to get a printout of it. also a long history of 
commands he issued. He tried to deface the website with some childish 
"So and so wuz here" kinda stuff. Unfortunately for him, luckily for us, 
it didn't work out too fine as most content is being cached in a reverse 
proxy so i guess no one saw it. he proceeded to post some content on the 
company's website directed to the boss of the company. and then altered 
the access logs of apache.

               Singapore has very very severe laws on crackers. They 
have been many crackers that had been sent to jail and given a handful 
of whips too. However, i'm not too sure on Cyber Laws in Indonesia. My 
friend is not keen on prosecuting this cracker/ex-employee/whoever, but 
he just wants to know for sure that it is that guy who did it and then 
speak to him about this cowardly act.
          
                Well , maybe i still have to contact the ISPs after all 
to see what they can do to help me out on this case.

                For those of you who want to see the logs / binarys, 
whatever. It may contain some very sensitive information, so i'm not 
sure if i should release it because there maybe some not so honorable 
folks in this list that want the juicy information in logs to do not so 
honorable stuff.... : ) . It will be case by case that i release it, ok? 
Hope i didn't cause any unhappiness.

                Currently, I'm setting up a new web server to replace 
the compromised host. Implemented a firewall, and will review the rest 
of his infrastructure. This is my first time doing forensics on an 
actual compromised host and it's very exciting. : ) Thank you for all 
your advise. Will keep you guys updated.

Rgds,
Paul Tan


Alvin Oga wrote:

> hi ya
>
> calling the isp is good start....
>
> following up is the mroe important than the reporting itself...
> as the script kiddies will keep coming back till they "see a change"
> that makes them work harder to get back in
>
> - make a new server for real people to be using...
>         - use scp(ssh) instead of ftp
>
> - if yu had an unpatched ftp daemon.... we'll you've just been hit if
>  thats how they got in....vs applying other attacks
>
> - the hacker will be back for that same machine he knows he got in...
> 	- i say let um ... isolate it... 
>
>         - get the legal folks to also watch what he is doing
>         live and real time ... to make it easier to track um....
>
> - fbi gets interested at $10,000 in damages ...
>         - i like it, cause they can go seize the [cr/h]ackers PCs...
>
> for your own action items.. 
>
>         - dont point the finger to the other isps/hackers ...
>
>         - tighten your own security...
>         - disable all insecure services: telnet, ftp, pop3/imap, ppp
>         - see the to do list ...
>
>         http://www.Linux-Sec.net  ( server Hardening secion )
>
>
> 	- many things to do after your server been compromised... 
> 	lots of unscheduled extremely important work to do...
>
>         http://www.Linux-Sec.net/Tracking/
>
> have fun
> alvin
> http://www.Linux-Sec.net
>
> On Tue, 25 Sep 2001, Bojan Zdravkovic wrote:
>
> > Hi Paul,
> >
> > Calling the ISP will help. They won't "get" the guy, only slap his wrist. The
> > biggest, ultimate effect of calling the ISP would be sending him a warning
> > email.
> >
> > ISPs will never forward you any personal info, except if you're a government
> > investigator. And if an investigator gets involved the damage has to be
> > substantial (millions).
> >
> > Don't talk about evidence, and don't blow things out of proportion, this is just
> > a simple mischief, happens to everyone.
> >
> > And patch that ftpd.
> >
> > -Bojan



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com