RE: Help please

["McCammon, Keith" <Keith.McCammon () eadvancemed com>]

Ryan,

Forgive me for not offering much technical assistance, but...

The single best thing that you can do is unplug the network connection
leading to that box.  Then, if you must know what has happened, make a
full backup of the box and begin your forensic analysis.

To knowingly allow an unauthorized user to attack another network using
one of your hosts is quite irresponsible.

Good day,

Keith

-----Original Message-----
From: Ryan Hairyes [mailto:rhairyes () lee k12 nc us]
Sent: Saturday, February 02, 2002 2:41 PM
To: incidents () securityfocus com
Subject: Help please


Hello all.


I am having some trouble and would like to know if someone can help me
out.
Right now my mailserver (RedHat 7.2) is being used by unwanted guest to 
attack adult sites via port 80 (Apache 1.3.20).  When I run a netstat
-an
on my system I can "see" them connected to my machine.  I have snort and

have run that as well and sure  enough they are there.  It seems as
though
they are using my apache to do brute force password cracking on these
adult
sites.  Thanks in advance.

Ryan


--------------------
Ryan Hairyes
Network Administrator -- Lee County School System
919.774.6226 x 1252
rhairyes () lee k12 nc us



------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com