RE: compromised network

[Francisco Mário Ferreira Custódio <fcustodio () eda pt>]

Hello Dana.

All questions make sense!


If your network has been compromised, you should alert the authorities. You
should collect as much informations as possible in order to track the bad
guys. According to your e-mail...it looks like the bad guys used your
systems to make a dump site. It seems you have been attacked by some "warez"
freaks trying to get space for dumping files.

To check for any rogue stuff, you should check all the processes running on
each box, you should check the traffic for layer 4 information (tcp/udp
packets and ports) to figure out what's running in and out. Finnaly you
should check for layer 3 information (Ip addresses) destinations and
origins, check for suspicious IP addresses. 

Ethereal provides you useful information, when you finnish your
captures..Ethereal organizes the packets in a very reading friendky way. You
can see all the information I was talking. Check all this informations with
your syslog. 

You will be doing forensics work at this time.

I strongly advise you to deploy a Network IDS (Snort is a good choice). The
nIDS will alert you of any suspicious activity within your network.

Good luck.

FC


-----Original Message-----
From: Dana Rawson [mailto:absolutezero273c () nzoomail com] 
Sent: sexta-feira, 26 de Dezembro de 2003 18:22
To: security-basics () securityfocus com
Subject: compromised network



Not sure where to start except by saying that my servers and router were
compromised.  Have locked down both servers and routers (at least I have
attempted to do so) but what is the best way to verify that there is nothing
rogue left active on the servers?  Also, is there any legal action I should
take (i.e. Do I alert any authorities)?  It appears that my network was
targeted by a server in california and individuals from Australia,
Netherlands and the US were connecting using it as an ftp server.  Was
actually named "Revenge Server".

I just installed Ethereal and am currently capturing packets but am not
really sure how to read this or if there is any easier way to monitor all
things. ...And to actually know how to read it. 

Will I be able to retrieve ip addresses from packets to match activity on my
syslog and identify rogue traffic?

This is all new to me so I apologize if my questions don't make sense or my
approach is illogical.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------