RE: Looking for help against Chinese Hacking Team

["Shenk, Jerry A" <jshenk () decommunications com>]

Can you identify the time of the attack?  If you can identify that, then
can you go backward through your web server logs and identify and
identify the attack.

Think about any pages that allow users to send files to your
system...that's a pretty common hole.

How do you know it's "the Chinese"?  If you really do know who it is,
then you should have an IP address....that should make the search for
the attack somewhat simpler....not simple, just simpler;)  Go through
ALL your logs and look for that IP address.  Keep in mind that they
could do recon from one IP and then attack from another...not too common
but certainly possible.

Running a pen-test against the web site MIGHT find it...but then, it
might be something that's not one of the included attacks or it takes a
certain time of obfuscation to get through something.  Really, if you've
been attacked, then the key is to find out what they did to get you.

Obviously you don't have much of a budget (and this isn't a dig, just a
statement of an assumption) if you think a $200 pen-test was a lot of
money so, just go pore over those web logs.  That's where it is.  Make
sure you have the event logging cranked up.  You didn't say what they
did but, if they managed to launch an executable, you can probably catch
it if you turn on auditing for system processes and event tracking.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Mike Hale
Sent: Friday, December 12, 2008 9:22 PM
To: harveyfrank
Cc: pen-test () securityfocus com
Subject: Re: Looking for help against Chinese Hacking Team

Your choices are cheap, fast and properly.

Pick two.
 ;)

If the concern in this case is a vulnerability in your web
application, I'd suggest looking at a web-application firewall.

Setting it up properly can get very expensive, unless you know exactly
how your traffic needs to look.  There are some open-source ones
available that are pretty good, such as ModSecurity.

If you're the techincal guy for the company, I'd recomend taking a
weekend to read up on the various features and setting up a test box
somewhere.  Once that's done, start by securing small portions of your
web site at a time.  Figure out what legitimate packets look like, and
allow only those through.

On Fri, Dec 12, 2008 at 4:59 PM, harveyfrank <joet () ticadvisors com>
wrote:
> We've been battling the Chinese for several months now and have gone
through
> several waves of US  security experts who have failed to stop them. In
their
> defense, we are not on an unlimited budget and they've gotten us to a
point
> where it looks as though somewhere among the site's 400 scripts is a
SQL
> injection vulnerability.
>
> Automated testing by a few pen test products seems to think we're
fine. We
> definitely are not.
>
> Is it possible to hire a CEH to find the Chinese-discovered
vulnerability
> for a few hundred dollars? (We aren't just being cheap, we've blown
our wad
> on security that hasn't worked.) Would someone with intimate knowledge
of
> the latest wave of Chinese attacks be required for this job? Besides
our
> first rate security team that's just been beat, I've tried the $200
pen test
> folks and they have all failed. Microsoft security help has also
failed.
> Advice (Besides porting to Linux)? Help?
> --
> View this message in context:
http://www.nabble.com/Looking-for-help-against-Chinese-Hacking-Team-tp20
986210p20986210.html
> Sent from the Penetration Testing mailing list archive at Nabble.com.
------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
>



--
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------