Re: [Full-Disclosure] Reacting to a server compromise
From: Mark (marklist_at_comcast.net)
To: full-disclosure <email@example.com> Date: Sat, 02 Aug 2003 22:00:06 -0600
Jason Coombs wrote:
> Give the details to somebody in the tech media, or a colleague who you think
> is trustworthy.
> Let them notify others who the alleged hacker penetrated.
> We all know there was no hacker, you're just trying to make amends for the
> damage you've done to other people's computer systems and repent, putting an
> end to your malicious hacking career. ;-)
> I'd be happy to accept your report and put in the time to notify everyone
> Or, just send the details to full-disclosure from an anonymous e-mail account
> like firstname.lastname@example.org
I appreciate all of the advice I've received so far, and from what it
seems, I'm in quite a sticky situation. I'm not 100% positive that the
"cracker" compromised any systems from this box. There is a txt file of
about 100 IPs with admin usernames/passes which I don't think would be a
good idea to post to a public list, especially a script-kiddie haven
like FD. I also know that the attacker performed a UDP flood on some
poor sap. Unfortunately for the attacker, we noticed this right away
when the T1 router went bezerk. I traced it back to that machine, not
by sniffing, but through switch activity lights, so I don't know who
that victim was. I thought it was a faulty NIC, or a driver gone
haywire, so I rebooted the box. That's when I noticed that mIRC.exe was
listening for remote commands, and a new admin account.
Judging from the date of the trojan files, they only had control for 2-3
days, and I promptly installed zonealarm, a temporary fix until I could
get the server replaced.
Anyway, the machine now sits happily in a corner, unplugged from the
world, with the HD just how I left it. Everything I deleted from the
machine, aside from the cracker's admin acount, was copied off to a
secure place. Hopefully that will be enough if I get any inquries. I
will start with a report to CERT, and see where that goes.
Thanks again for all the help.
Full-Disclosure - We believe in it.