Full Disclosure mailing list archives
RE: [inbox] Reacting to a server compromise
From: "Curt Purdy" <purdy () tecman com>
Date: Sun, 3 Aug 2003 16:19:36 -0500
Although the answer may be more in coming from an attorney than from a tech, IMHO your legal responsibility is to inform both owner of the box as well as victims. As long as you show "best effort" in reporting you should be allright. But, particularly with medical victims that must conform to HIPAA, there could be serious ramifications if you don't. Keep in mind that it is trivial to find out it was that box, if investigators from the victims/compromised patients decide to run it down. That is why the cracker used that box to start with, so he couldn't be tracked. That box will be your best evidence for defense (hoping you had enough sense not to reformat it.) Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions cpurdy () dpsol com 936.637.7977 ext. 121 ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Mark Sent: Friday, August 01, 2003 10:39 PM To: full-disclosure () lists netsys com Subject: [inbox] [Full-disclosure] Reacting to a server compromise Hello list, In light of the current state of the internet with the DCOM vuln, I would like to ask for some advice on a situation I had at work. A little while ago(but before the DCOM vuln was released) I had a Win2k box hacked. The box was outside our firewall, running minimal services(ftp/www/smtp - gateway only) and was set to download/install everything it could via Auto-updates. Apparently I didn't reboot it often enough for all of the updates to take effect. Personally I really don't care how the hacker got in, as the box has now been replaced with a hardened Linux server, and when the attacker had control, they were still outside our firewall. The attacker created a user account with admin privs, installed a trojan, disabled all network access to any users except this new account, and proceeded to hack other vulnerable NT machines out on the net. I found a list of about 100 IPs with usernames and passwords that were either blank or the same as the username. My question is: Do I report this, and run the risk of the Feds charging me because these attacks originated from my subnet? Do I inform the owners of the machines that were hacked that their systems have been compromised? Judging from the usernames, some of these machines belonged to doctors offices, and may contain sensitive information. Or should I just have a nice cup of STFU, and pretend nothing happened? Before the flames start about how I'm such a lazy admin, I'd like you to know that I'm a developer full-time for a small company with a small budget and I manage the network with my "free" time. Yes it was stupid to stick a windows box out on the net without a firewall. I tell people all the time the same thing, maybe I'm just a sadist that likes watching M$ boxes get hacked, I don't know. But in that instance I really didn't care. I'd appreciate any comments anyone has.... Thanks, Mark _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Reacting to a server compromise Mark (Aug 01)
- Re: Reacting to a server compromise Peter Busser (Aug 02)
- RE: Reacting to a server compromise Wayne Chang (Aug 02)
- Re: Reacting to a server compromise SecuresDotComs (Aug 02)
- RE: Reacting to a server compromise Edward W. Ray (Aug 02)
- Re: Reacting to a server compromise Aron Nimzovitch (Aug 03)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 04)
- RE: [inbox] Re: Reacting to a server compromise Ron DuFresne (Aug 04)
- RE: Reacting to a server compromise Edward W. Ray (Aug 02)
- <Possible follow-ups>
- Re: Reacting to a server compromise Jennifer Bradley (Aug 02)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 03)
- RE: [inbox] Re: Reacting to a server compromise Michal Zalewski (Aug 03)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 04)
- RE: [inbox] Re: Reacting to a server compromise Michal Zalewski (Aug 05)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 05)
- RE: [inbox] Re: Reacting to a server compromise Bojan Zdrnja (Aug 06)
- RE: [inbox] Re: Reacting to a server compromise Michal Zalewski (Aug 06)
- Re: [inbox] Re: Reacting to a server compromise Valdis . Kletnieks (Aug 05)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 03)
- Re: [inbox] Re: Reacting to a server compromise morning_wood (Aug 03)