RE: Odd situation, advice needed on penentration test results

["Greg Reber" <greg.reber () astechconsulting com>]

If the company has Intrusion alert procedures, get them started ASAP.  This
is not a test anymore.

Get a forensics expert to start work immediately.

Notify your customer of everything you know right now and keep them
informed.

If the exploit is specific to one vendor's product, notify the vendor of the
exploit so they can tell the world.  Give them three days to do that, then
tell the world yourself.

Find out why the intruder was able to get to the box in question. Tell your
client the answer immediately.

-greg

The information in this email is likely confidential and may be legally
privileged. It is intended solely for the addressee. Access to this email by
anyone else is unauthorized. If you are not the intended recipient,  any
disclosure, copying, distribution or any action taken or omitted to be taken
in reliance on it, is prohibited and may be unlawful.

-----Original Message-----
From: saraf () hushmail com [mailto:saraf () hushmail com]
Sent: Wednesday, March 26, 2003 11:54 AM
To: pen-test () securityfocus com
Subject: Odd situation, advice needed on penentration test results


*** PGP Signature Status: unknown
*** Signer: Unknown, Key ID = 0x508994DB
*** Signed: 3/26/2003 11:58:19 AM
*** Verified: 3/26/2003 1:58:20 PM
*** BEGIN PGP VERIFIED MESSAGE ***


Pen-testers,

My company recently engaged on a penetration test for a large fortune
500 company. The first week of the test harvested no results to speak
of. However in the second week while re-scanning a particular subnet
where they hosted their staging systems we found a machine with a listening
port where there had not been one before. We discovered the port listening
was actually a backdoor (a common one) with a default password. We used
the portshell to gain entry onto the machine and one inside (it was a
win2k machine) we found a series of things. Firstly we had gained access
just shortly after the intruder as they were still present on the box
downloading from another box on the net. The downloads were going into
a sub directory normally used for another software package. The interesting
and troublesome part is related to what the intruder was downloading.
In short the items of interest were:

1. source code for what we think is an unpublished remote exploit for
a largely deployed service.
2. parts of commercial sourcecode for a vulnerability scanner from a
security vendor.
3. parts of commercial sourcecode for a firewall from another security
vendor.
4. what looks like a fairly advanced windows based kernel rootkit.

This stuff was also packaged with a whole series of other tools some
public some not. Our area of concern is what do we do now? The sourcecode
is obviously stolen and the exploit is likely unpublished and we are
left holding the bag to notify all of these vendors etc. Our concern
is that our client will likely be involved as well which is potentially
embarrassing to them. We have not yet acted on this (happened this morning)
and I would very much like any advice this list has to offer. In particular
if you have ever faced this type of problem before.



*** END PGP VERIFIED MESSAGE ***




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1


top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1