RE: compromised network

["JM" <jm () mindless com>]

The only way to be 100% is to completely start from scratch again.

Not the ideal solution I know, but then you can be confident that everything
is clean. 

If this is not an option, scan for viruses, malware, adware, trojans etc.
But if I had a good backup, I would start again.

Do you know how everything got compromised?  When starting again, make sure
you don't make the same mistakes.  i.e. turn off that ms ftp server! 

-----Original Message-----
From: Dana Rawson [mailto:absolutezero273c () nzoomail com] 
Sent: 26 December 2003 19:22
To: security-basics () securityfocus com
Subject: compromised network



Not sure where to start except by saying that my servers and router were
compromised.  Have locked down both servers and routers (at least I have
attempted to do so) but what is the best way to verify that there is nothing
rogue left active on the servers?  Also, is there any legal action I should
take (i.e. Do I alert any authorities)?  It appears that my network was
targeted by a server in california and individuals from Australia,
Netherlands and the US were connecting using it as an ftp server.  Was
actually named "Revenge Server".

I just installed Ethereal and am currently capturing packets but am not
really sure how to read this or if there is any easier way to monitor all
things. ...And to actually know how to read it. 

Will I be able to retrieve ip addresses from packets to match activity on my
syslog and identify rogue traffic?

This is all new to me so I apologize if my questions don't make sense or my
approach is illogical.

---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------