Security Incidents mailing list archives

RE: Overwhelmed........

From: "Oliver Eckel" <oliver-eckel () trustafrica com>
Date: Fri, 22 Jun 2001 19:12:09 -0000

-----Original Message-----
From: Oliver Eckel [mailto:oliver-eckel () trustafrica com] 
Sent: Friday, June 22, 2001 7:11 PM
To: 'Mark Andrich'
Subject: RE: Overwhelmed........

It can also be that someone is using your proxy to cover his tracks. If
you look at tools like unisploit, then youll see that it has settings
for a proxy. It depends how well your proxy is configured.

Oliver Eckel
CSO
Trustafrica.com

-----Original Message-----
From: Mark Andrich [mailto:MAndrich () PreventBlindness org] 
Sent: Wednesday, June 20, 2001 9:49 PM
To: 'incidents () securityfocus com'
Subject: Overwhelmed........

I just installed Snort on my IIS/Proxy server on Monday. On Tuesday I
logged 255 alerts for the unicode exploit. A check of the log file
revealed that our server was attacking another server out on the
internet. I've done the
following:

1. Blocked the packets at the router.
2. emailed the other server's admin to let him know what was going on.
(Haven't heard back) 3. Saved a copy of the Snort alert log
(unfortunately, I didn't have TCPDump logging enabled) 4. Combed through
my IIS logs and found recent repeated attempts to request sample, ftp,
cgi, and other commonly exploited files (the logs only recorded the
local machine name and not the intruder's IP) 5. Combed the Event logs
and found one or two questionable logins to remote email. 6. Got a disk
failure notice, ran chkdsk, and found orphaned files and unknown
allocated space. All deleted/fixed by the chkdsk program (goodbye
forsenics)

There have not been any unicode attempts since yesterday. From what I've
read I'm guessing that my machine was compromised and that the attacker
put some scripts on my machine to run these attacks. I'm also guessing
that the next thing to do, is to wipe the machine clean and re-install
everything. The only problem being having to restore the inetpub
directory which may or may not have been tampered with. So it's:

1. Reinstall from the ground up ensuring that all possible steps are
taken in terms of hardening the OS, following the available security
checklists and applying all necessary patches.

2. After that's complete, change all passwords including system
accounts.

3. Continue in my efforts to get a NetBSD box set up between the router
and our Microsoft products.

Is there anything else anyone might suggest or any other options I
haven't explored? Am I thinking correctly? Anything else to look for?

Thanks,

Mark

Current thread:

Overwhelmed........ Mark Andrich (Jun 21)
- Re: Overwhelmed........ Michael R. Jinks (Jun 22)
- RE: Overwhelmed........ John R. Morris (Jun 22)
- Re: Overwhelmed........ Rune Kristian Viken (Jun 24)
- <Possible follow-ups>
- RE: Overwhelmed........ Oliver Eckel (Jun 24)