Security Basics mailing list archives
RE: compromised network
From: Angus <angus_md () yahoo com>
Date: Mon, 29 Dec 2003 11:13:06 -0800 (PST)
Dana, First I want to say, these are excellent, but difficult questions. They mostly depend on how it affects your organization. Without knowing what was hacked/running, what was taken, your business model, etc. it is hard to say(I'd prefer not to have this info advertise on a mailing list, especially when potential hackers may reside here). Here are my answers in order they appear. As with most of my rare postings, it is a novel. They are by no means are be all end all, but in touchy situations like this, you will find need to examine and apply as best you can to your organization. 1. What is the best way to verify that there is nothing rogue left active on the servers? There really is no good way, short of examining all binaries and comparing them to MD5 hashes of initial installs/OEM Fingerprint databases. You could do this to prior backups, but unless you have a known good backup, you could be comparing it to something already exploited. Depending on the impact on the operations, you are probably better off rebuilding it. Even though there may not be a malicious backdoor running when you do a typical port scan, what is to say the intruder did not modify the TCP IP stack to fire off a backdoor if an impossible packet, say a packet with a reset and a Fin set on a known port accessible from outside? 2. Is there any legal action I should take? This is a question that has stumped philosophers since the beginning of time. Unfortunately, only you and your organization can answer this one. Ethically, you probably should, however some people like to save face and avoid it, so they dont lose reputation with their customers. I would suggest analyzing what was compromised, why if you can, who, and what was taken. And look at the damages. Remember, time is money, including time dealing with the event. Even if they took nothing, you still have obviously spent company time working/thinking about this. Even though you may or may not have enough for a lawsuit, you may still be legally bound to let consumers know about it. Laws are different from state, to state, to country. If you are located in Alaska, and you do business over the internet to other states, their laws will apply whether you solicit their business or not. AKA, if credit card info was taken, and you have California customers, you are legal bound to notify them regardless of location probably forcing you to talk to Law Enforcement. Also keep in mind that your actions, or lack of actions can come back to haunt you. If someone uses your systems as a starting point for an attack, you can be hit with downstream liability. Even though you can go after the perps, it is still pain no one wants, especailly since they may not be able to compensate you, once again forcing Law Enforcement involvement. Sometimes it is best to do it from the start to make sure evidence is still around. I would speak to a lawyer if available for recommendations, put together a nice report w/ pros and cons and let them make the decision. Remember that magnetic media may be repod as evidence and attacked for validity. You will need to convince a court of law that your evidence was not tampered with, for example: MD5 hashes, stored in a safe place with minimal people accessing, data not writable, etc. 3. I just installed Ethereal and am currently capturing packets but am not really sure how to read this or if there is any easier way to monitor all things. ...And to actually know how to read it. Ethereal is good for looking at the packets captured, and it is mainly a preference issue, so Im not going to start a debate on that. However, grabbing all packets can become very expensive w/ disk space, and cumbersome to read. You may be better off looking into a NIDS/HIDS system, like Snort and or Trip Wire to alert you to possible malicious activity. They can categorize potential threats by severity and likely hood of success. Even though they WILL create false positives(and possible false negatives) it is probably a lot better then analyzing all packets and looking for a needle in a hay stack, especially if you arent familiar with this sort of thing. 4. Will I be able to retrieve ip addresses from packets to match activity on my syslog and identify rogue traffic? Yes, assuming syslog is reporting it. -----Original Message----- From: Dana Rawson [mailto:absolutezero273c () nzoomail com] Sent: Friday, December 26, 2003 2:22 PM To: security-basics () securityfocus com Subject: compromised network Not sure where to start except by saying that my servers and router were compromised. Have locked down both servers and routers (at least I have attempted to do so) but what is the best way to verify that there is nothing rogue left active on the servers? Also, is there any legal action I should take (i.e. Do I alert any authorities)? It appears that my network was targeted by a server in california and individuals from Australia, Netherlands and the US were connecting using it as an ftp server. Was actually named "Revenge Server". I just installed Ethereal and am currently capturing packets but am not really sure how to read this or if there is any easier way to monitor all things. ...And to actually know how to read it. Will I be able to retrieve ip addresses from packets to match activity on my syslog and identify rogue traffic? This is all new to me so I apologize if my questions don't make sense or my approach is illogical. --------------------------------------------------------------------------- ---------------------------------------------------------------------------- __________________________________ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: compromised network, (continued)
- RE: compromised network Glenn Pearl (Dec 29)
- Re: compromised network erisk (Dec 30)
- Re: compromised network Jason Coombs (Dec 31)
- Re: compromised network Meritt James (Dec 31)
- Re: compromised network erisk (Dec 30)
- Re: compromised network Lard van den Berg (Dec 30)
- Re: compromised network Christos Gioran (Dec 30)
- RE: compromised network JM (Dec 30)
- Re: compromised network DT - Paulo Santos (Dec 30)
- RE: compromised network Francisco Mário Ferreira Custódio (Dec 29)
- Re: compromised network Meritt James (Dec 29)
- RE: compromised network Angus (Dec 29)
- Re: compromised network jamesworld (Dec 30)
- Re: compromised network H Carvey (Dec 31)
- RE: compromised network Glenn Pearl (Dec 29)