Odd situation, advice needed on penentration test results

From: saraf@hushmail.com
Date: 03/26/03

  • Next message: Ido Dubrawsky: "Re: Odd situation, advice needed on penentration test results"
    Date: Wed, 26 Mar 2003 11:54:01 -0800
    To: pen-test@securityfocus.com
    From: <saraf@hushmail.com>
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Pen-testers,

    My company recently engaged on a penetration test for a large fortune
    500 company. The first week of the test harvested no results to speak
    of. However in the second week while re-scanning a particular subnet
    where they hosted their staging systems we found a machine with a listening
    port where there had not been one before. We discovered the port listening
    was actually a backdoor (a common one) with a default password. We used
    the portshell to gain entry onto the machine and one inside (it was a
    win2k machine) we found a series of things. Firstly we had gained access
    just shortly after the intruder as they were still present on the box
    downloading from another box on the net. The downloads were going into
    a sub directory normally used for another software package. The interesting
    and troublesome part is related to what the intruder was downloading.
    In short the items of interest were:

    1. source code for what we think is an unpublished remote exploit for
    a largely deployed service.
    2. parts of commercial sourcecode for a vulnerability scanner from a
    security vendor.
    3. parts of commercial sourcecode for a firewall from another security
    vendor.
    4. what looks like a fairly advanced windows based kernel rootkit.

    This stuff was also packaged with a whole series of other tools some
    public some not. Our area of concern is what do we do now? The sourcecode
    is obviously stolen and the exploit is likely unpublished and we are
    left holding the bag to notify all of these vendors etc. Our concern
    is that our client will likely be involved as well which is potentially
    embarrassing to them. We have not yet acted on this (happened this morning)
    and I would very much like any advice this list has to offer. In particular
    if you have ever faced this type of problem before.

    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.2 (Java)
    Note: This signature can be verified at https://www.hushtools.com/verify

    wloEARECABoFAj6CBlsTHHNhcmFmQGh1c2htYWlsLmNvbQAKCRDix1JKUImU21YxAKCg
    N23X1I/vy6//YpZuTJmx1OHkFQCfb+Vtdt4fZMl6AgdatK7DYKrSC/A=
    =0ySv
    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Big $$$ to be made with the HushMail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427

    top spam and e-mail risk at the gateway.
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it. See exactly how much
    junk never even makes it in the door. Free 30-day trial:
    http://www.surfcontrol.com/go/zsfptl1


  • Next message: Ido Dubrawsky: "Re: Odd situation, advice needed on penentration test results"