Re: Odd situation, advice needed on penentration test results

From: Ido Dubrawsky (idubraws@cisco.com)
Date: 03/26/03

  • Next message: Harlan Carvey: "re: Odd situation, advice needed on penentration test results"
    Date: Wed, 26 Mar 2003 15:19:32 -0500
    From: Ido Dubrawsky <idubraws@cisco.com>
    To: saraf@hushmail.com
    
    

    On Wed, Mar 26, 2003 at 11:54:01AM -0800, saraf@hushmail.com wrote:
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    >
    > Pen-testers,
    >
    > My company recently engaged on a penetration test for a large fortune
    > 500 company. The first week of the test harvested no results to speak
    > of. However in the second week while re-scanning a particular subnet
    > where they hosted their staging systems we found a machine with a listening
    > port where there had not been one before. We discovered the port listening
    > was actually a backdoor (a common one) with a default password. We used
    > the portshell to gain entry onto the machine and one inside (it was a
    > win2k machine) we found a series of things. Firstly we had gained access
    > just shortly after the intruder as they were still present on the box
    > downloading from another box on the net. The downloads were going into
    > a sub directory normally used for another software package. The interesting
    > and troublesome part is related to what the intruder was downloading.
    > In short the items of interest were:
    >
    > 1. source code for what we think is an unpublished remote exploit for
    > a largely deployed service.
    > 2. parts of commercial sourcecode for a vulnerability scanner from a
    > security vendor.
    > 3. parts of commercial sourcecode for a firewall from another security
    > vendor.
    > 4. what looks like a fairly advanced windows based kernel rootkit.
    >
    > This stuff was also packaged with a whole series of other tools some
    > public some not. Our area of concern is what do we do now? The sourcecode
    > is obviously stolen and the exploit is likely unpublished and we are
    > left holding the bag to notify all of these vendors etc. Our concern
    > is that our client will likely be involved as well which is potentially
    > embarrassing to them. We have not yet acted on this (happened this morning)
    > and I would very much like any advice this list has to offer. In particular
    > if you have ever faced this type of problem before.
    >
    >
    Sara,

       You need to act on this ASAP. You should have notified your client
    immediately and allowed them to take the necessary steps to secure the system
    and shut it down. While catching this person is obviously of importance, the
    more critical step to take is to secure the system for forensic analysis.
    I would recommend that the your client unplug the power from the system
    (hopefully the intruder has not setup a logic bomb that triggers if the network
    interface goes down). Then it's a matter of getting the system into a state
    where imaging the drive(s) can be done. This is to protect your client as much
    as it is to try and determine the extent of the intrusion and the possible
    identity of the intruder. They should look at their logfiles as well to see
    if the can identify the source of the intruder's connection...it all depends
    on how their network is architected as well as where the system is in the
    network.
      If the system is on the DMZ, perhaps they can set up and ACL to log all
    inbound connections to that system...if they haven't already done that.
      I'm sorry to say this but you should have moved earlier on this and your
    client should have been notified immediately. You have no way of knowing what
    the intruder has done in the time you've sent this e-mail and gotten responses.

    Ido

    -- 
    ===========================================================================
                            | Ido Dubrawsky          E-mail: idubraws@cisco.com
         |          |       | Network Security Architect
        :|:        :|:      | VSEC Technical Marketing, SAFE Architecture Team
       :|||:      :|||:     | Cisco Systems, Inc.
    .:|||||||:..:|||||||:.  | Silver Spring, MD. 20902
    ===========================================================================
    top spam and e-mail risk at the gateway.
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it. See exactly how much
    junk never even makes it in the door. Free 30-day trial:
    http://www.surfcontrol.com/go/zsfptl1
    

  • Next message: Harlan Carvey: "re: Odd situation, advice needed on penentration test results"

    Relevant Pages

    • Re: Dot.Net 1.1 and 2.0
      ... we have to use the same sourcecode in 2 projects. ... and consists of server and client parts. ... Try to pack as much funcitons into .Net 1.1 libraries and use those ...
      (microsoft.public.dotnet.languages.vb)
    • Dot Net 1.1 and 2.0
      ... we have to use the same sourcecode in 2 projects. ... and consists of server and client parts. ... Try to pack as much funcitons into .Net 1.1 libraries and use those ...
      (microsoft.public.dotnet.general)
    • Re: Dot.Net 1.1 and 2.0
      ... we have to use the same sourcecode in 2 projects. ... and consists of server and client parts. ... Try to pack as much funcitons into .Net 1.1 libraries and use those ...
      (microsoft.public.dotnet.languages.vb)
    • Dot.Net 1.1 and 2.0
      ... we have to use the same sourcecode in 2 projects. ... and consists of server and client parts. ... Try to pack as much funcitons into .Net 1.1 libraries and use those ...
      (microsoft.public.dotnet.languages.vb)