Security Basics mailing list archives

Re: compromised network

From: "Lard van den Berg" <lard () vandenberg com>
Date: Mon, 29 Dec 2003 23:31:43 -0000

Dana,
I would externally disconnect your network (of course if this is possible -
not always in age of e-commerce etc.) and build up your network from
scratch. Depending on how many servres you have got it is a rather daunting
task to find out what is infected and what isn't. Re-install OS systems and
look at backups of logsfiles of the compromised ones to see if there any
foodprints. You might want to leave a disinfected server inplace
(disconnected though) for any legal steps you want to take. Installing an
IDS system would be suggested in future.







Regards,
Lard van den Berg

----- Original Message -----
From: "Dana Rawson" <absolutezero273c () nzoomail com>
To: <security-basics () securityfocus com>
Sent: Friday, December 26, 2003 7:21 PM
Subject: compromised network



Not sure where to start except by saying that my servers and router were

compromised.  Have locked down both servers and routers (at least I have
attempted to do so) but what is the best way to verify that there is nothing
rogue left active on the servers?  Also, is there any legal action I should
take (i.e. Do I alert any authorities)?  It appears that my network was
targeted by a server in california and individuals from Australia,
Netherlands and the US were connecting using it as an ftp server.  Was
actually named "Revenge Server".


I just installed Ethereal and am currently capturing packets but am not

really sure how to read this or if there is any easier way to monitor all
things. ...And to actually know how to read it.


Will I be able to retrieve ip addresses from packets to match activity on

my syslog and identify rogue traffic?


This is all new to me so I apologize if my questions don't make sense or

my approach is illogical.


--------------------------------------------------------------------------

--------------------------------------------------------------------------

--



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

compromised network Dana Rawson (Dec 29)
- RE: compromised network Raoul Armfield (Dec 29)
  - Re: compromised network Alvin Oga (Dec 30)
    - RE: compromised network Yvan Boily (Dec 31)
- RE: compromised network Glenn Pearl (Dec 29)
  - Re: compromised network erisk (Dec 30)
    - Re: compromised network Jason Coombs (Dec 31)
    - Re: compromised network Meritt James (Dec 31)
- Re: compromised network Lard van den Berg (Dec 30)
- Re: compromised network Christos Gioran (Dec 30)
- RE: compromised network JM (Dec 30)
- Re: compromised network DT - Paulo Santos (Dec 30)
- <Possible follow-ups>
- RE: compromised network Francisco Mário Ferreira Custódio (Dec 29)
  - Re: compromised network Meritt James (Dec 29)
- RE: compromised network Angus (Dec 29)
- Re: compromised network jamesworld (Dec 30)
- Re: compromised network H Carvey (Dec 31)