RE: [Full-Disclosure] Reacting to a server compromise

From: Wayne Chang (wchang_at_pnwsoft.com)
Date: 08/02/03

  • Next message: [SEC-LABS TEAM]:: "[Full-Disclosure] [SEC-LABS] Win32 Device Drivers Communication Vulnerabilities + PoC for Symantec Norton AntiVirus '2002 (probably all versions) Device Driver" 
    To: <full-disclosure@lists.netsys.com>
Date: Sat, 2 Aug 2003 13:23:18 +0900

    Hi Mark,

    In this situation I would Do The Right Thing(tm). Contact the admins on the
    list and inform your local FBI department. They might not care, but atleast
    you've informed them.

    By being silent on this, you help no one but yourself. And that might not
    even be true since one of the 100 ips could trace back to you and notify the
    FBI before you do.

    It will take a few hours atleast to notify all of them, but with a generic
    message that you can cut and paste, the effort would be appreciated by the
    people you contact (atleast we hope they take it positively).

    Anyways, being silent on it is harmful, any way you slice it.

    Do The Right Thing.

    Best regards,
     
    Wayne Chang
    Pacific Northwest Software
    Mobile: (978) 869-3446
    Email: wchang@pnwsoft.com

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Mark
    Sent: Saturday, August 02, 2003 12:39 PM
    To: full-disclosure@lists.netsys.com

    Hello list,

          In light of the current state of the internet with the DCOM vuln, I
    would like to ask for some advice on a situation I had at work.

    A little while ago(but before the DCOM vuln was released) I had a Win2k box
    hacked. The box was outside our firewall, running minimal
    services(ftp/www/smtp - gateway only) and was set to download/install
    everything it could via Auto-updates. Apparently I didn't reboot it often
    enough for all of the updates to take effect.

    Personally I really don't care how the hacker got in, as the box has now
    been replaced with a hardened Linux server, and when the attacker had
    control, they were still outside our firewall. The attacker created a user
    account with admin privs, installed a trojan, disabled all network access to
    any users except this new account, and proceeded to hack other vulnerable NT
    machines out on the net. I found a list of about 100 IPs with usernames and
    passwords that were either blank or the same as the username.

    My question is: Do I report this, and run the risk of the Feds charging me
    because these attacks originated from my subnet? Do I inform the owners of
    the machines that were hacked that their systems have been compromised?
    Judging from the usernames, some of these machines belonged to doctors
    offices, and may contain sensitive information. Or should I just have a
    nice cup of STFU, and pretend nothing happened?

    Before the flames start about how I'm such a lazy admin, I'd like you to
    know that I'm a developer full-time for a small company with a small budget
    and I manage the network with my "free" time. Yes it was stupid to stick a
    windows box out on the net without a firewall. I tell people all the time
    the same thing, maybe I'm just a sadist that likes watching M$ boxes get
    hacked, I don't know. But in that instance I really didn't care.

    I'd appreciate any comments anyone has....

    Thanks,
    Mark

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: [SEC-LABS TEAM]:: "[Full-Disclosure] [SEC-LABS] Win32 Device Drivers Communication Vulnerabilities + PoC for Symantec Norton AntiVirus '2002 (probably all versions) Device Driver"

    Relevant Pages
    • Quantcast