Re: [Full-Disclosure] Reacting to a server compromise

From: Mark (marklist_at_comcast.net)
Date: 08/03/03

  • Next message: madsaxon: "Re: [Full-Disclosure] Reacting to a server compromise"
    To: full-disclosure <full-disclosure@lists.netsys.com>
    Date: Sat, 02 Aug 2003 22:00:06 -0600
    
    

    Jason Coombs wrote:
    > Aloha,
    >
    > Give the details to somebody in the tech media, or a colleague who you think
    > is trustworthy.
    >
    > Let them notify others who the alleged hacker penetrated.
    >
    > We all know there was no hacker, you're just trying to make amends for the
    > damage you've done to other people's computer systems and repent, putting an
    > end to your malicious hacking career. ;-)
    >
    > I'd be happy to accept your report and put in the time to notify everyone
    > affected.
    >
    > Or, just send the details to full-disclosure from an anonymous e-mail account
    > like fulldisclosure@catholic.org

    I appreciate all of the advice I've received so far, and from what it
    seems, I'm in quite a sticky situation. I'm not 100% positive that the
    "cracker" compromised any systems from this box. There is a txt file of
    about 100 IPs with admin usernames/passes which I don't think would be a
    good idea to post to a public list, especially a script-kiddie haven
    like FD. I also know that the attacker performed a UDP flood on some
    poor sap. Unfortunately for the attacker, we noticed this right away
    when the T1 router went bezerk. I traced it back to that machine, not
    by sniffing, but through switch activity lights, so I don't know who
    that victim was. I thought it was a faulty NIC, or a driver gone
    haywire, so I rebooted the box. That's when I noticed that mIRC.exe was
    listening for remote commands, and a new admin account.

    Judging from the date of the trojan files, they only had control for 2-3
    days, and I promptly installed zonealarm, a temporary fix until I could
    get the server replaced.

    Anyway, the machine now sits happily in a corner, unplugged from the
    world, with the HD just how I left it. Everything I deleted from the
    machine, aside from the cracker's admin acount, was copied off to a
    secure place. Hopefully that will be enough if I get any inquries. I
    will start with a report to CERT, and see where that goes.

    Thanks again for all the help.

    Mark

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: madsaxon: "Re: [Full-Disclosure] Reacting to a server compromise"