Re: [Full-Disclosure] Reacting to a server compromise

From: Mark (marklist_at_comcast.net)
Date: 08/03/03

  • Next message: madsaxon: "Re: [Full-Disclosure] Reacting to a server compromise"
    To: full-disclosure <full-disclosure@lists.netsys.com>
    Date: Sat, 02 Aug 2003 22:00:06 -0600
    
    

    Jason Coombs wrote:
    > Aloha,
    >
    > Give the details to somebody in the tech media, or a colleague who you think
    > is trustworthy.
    >
    > Let them notify others who the alleged hacker penetrated.
    >
    > We all know there was no hacker, you're just trying to make amends for the
    > damage you've done to other people's computer systems and repent, putting an
    > end to your malicious hacking career. ;-)
    >
    > I'd be happy to accept your report and put in the time to notify everyone
    > affected.
    >
    > Or, just send the details to full-disclosure from an anonymous e-mail account
    > like fulldisclosure@catholic.org

    I appreciate all of the advice I've received so far, and from what it
    seems, I'm in quite a sticky situation. I'm not 100% positive that the
    "cracker" compromised any systems from this box. There is a txt file of
    about 100 IPs with admin usernames/passes which I don't think would be a
    good idea to post to a public list, especially a script-kiddie haven
    like FD. I also know that the attacker performed a UDP flood on some
    poor sap. Unfortunately for the attacker, we noticed this right away
    when the T1 router went bezerk. I traced it back to that machine, not
    by sniffing, but through switch activity lights, so I don't know who
    that victim was. I thought it was a faulty NIC, or a driver gone
    haywire, so I rebooted the box. That's when I noticed that mIRC.exe was
    listening for remote commands, and a new admin account.

    Judging from the date of the trojan files, they only had control for 2-3
    days, and I promptly installed zonealarm, a temporary fix until I could
    get the server replaced.

    Anyway, the machine now sits happily in a corner, unplugged from the
    world, with the HD just how I left it. Everything I deleted from the
    machine, aside from the cracker's admin acount, was copied off to a
    secure place. Hopefully that will be enough if I get any inquries. I
    will start with a report to CERT, and see where that goes.

    Thanks again for all the help.

    Mark

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: madsaxon: "Re: [Full-Disclosure] Reacting to a server compromise"

    Relevant Pages

    • Re: IRC-based Olympic Coverage
      ... >that kind of report. ... Suddenly we're on home networks now? ... Any admin worth half his salary has reporting tools that'll ... show which internal users are using bandwidth on the internet. ...
      (comp.security.firewalls)
    • Re: XSS phpBB 2.0.21 in administration
      ... Once someone can uncover an admin password all bets are off. ... the report I did on DeluxeBB for example, it has some code to emulate ... the most secure forum software would have to be phpBB ... The second reason is the clear points at which to report security ...
      (Bugtraq)
    • [Full-disclosure] Zen-Cart Admin CSRF/XSRF - Delete / Disable Products | UPS-2011
      ... An attacker can force an administrator to delete or disable products from ... This is a POC for CSRF on Zen-cart 1.3.9h admin control panel. ... <img src=" ...
      (Full-Disclosure)
    • Enter Keypress?
      ... When a button on our admin's main menu is pressed several queries are ... After this report is opened and printed a dialogue box is presented ... Leave it to my admin person to forget to come back to the computer to ... Because of other previous 'problems' I have implemented a timeout form ...
      (microsoft.public.access.formscoding)
    • DeskPRO Admin Panel Multiple HTML Injections
      ... DeskPRO Admin Panel Multiple HTML Injections ... An attacker may leverage this issue to have arbitrary script code execute ... Such attacks can be crafted were Attacker may inject cod ewere it willsend the Admins ...
      (Bugtraq)