RE: compromised network

From: Angus (angus_md_at_yahoo.com)
Date: 12/29/03

Next message: bob martin: "Best practices for a small business's security"

Previous message: Shawn Jackson: "RE: Firewall Hardware Recommendations"
Maybe in reply to: Dana Rawson: "compromised network"
Next in thread: Raoul Armfield: "RE: compromised network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 29 Dec 2003 11:13:06 -0800 (PST)
To: Dana Rawson <absolutezero273c@nzoomail.com>, security-basics@securityfocus.com

Dana,

First I want to say, these are excellent, but
difficult questions. They mostly depend on how it
affects your organization. Without knowing what was
hacked/running, what was taken, your business model,
etc. it is hard to say(I'd prefer not to have this
info advertise on a mailing list, especially when
potential hackers may reside here).

Here are my answers in order they appear. As with
most of my rare postings, it is a novel. They are by
no means are be all end all, but in touchy situations
like this, you will find need to examine and apply as
best you can to your organization.

1. What is the best way to verify that there is
nothing rogue left active on the servers?

There really is no good way, short of examining all
binaries and comparing them to MD5 hashes of initial
installs/OEM Fingerprint databases. You could do this
to prior backups, but unless you have a known good
backup, you could be comparing it to something already
exploited. Depending on the impact on the operations,
you are probably better off rebuilding it. Even
though there may not be a malicious backdoor running
when you do a typical port scan, what is to say the
intruder did not modify the TCP IP stack to fire off a
backdoor if an impossible packet, say a packet with a
reset and a Fin set on a known port accessible from
outside?

2. Is there any legal action I should take?

This is a question that has stumped philosophers since
the beginning of time. Unfortunately, only you and
your organization can answer this one. Ethically, you
probably should, however some people like to save face
and avoid it, so they don’t lose reputation with their
customers. I would suggest analyzing what was
compromised, why if you can, who, and what was taken.
And look at the damages. Remember, time is money,
including time dealing with the event. Even if they
took nothing, you still have obviously spent company
time working/thinking about this.

Even though you may or may not have enough for a
lawsuit, you may still be legally bound to let
consumers know about it. Laws are different from
state, to state, to country. If you are located in
Alaska, and you do business over the internet to other
states, their laws will apply whether you solicit
their business or not. AKA, if credit card info was
taken, and you have California customers, you are
legal bound to notify them regardless of location
probably forcing you to talk to Law Enforcement.

Also keep in mind that your actions, or lack of
actions can come back to haunt you. If someone uses
your systems as a starting point for an attack, you
can be hit with downstream liability. Even though you
can go after the perps, it is still pain no one wants,
especailly since they may not be able to compensate
you, once again forcing Law Enforcement involvement.
Sometimes it is best to do it from the start to make
sure evidence is still around.

I would speak to a lawyer if available for
recommendations, put together a nice report w/ pros
and cons and let them make the decision. Remember
that magnetic media may be repo’d as evidence and
attacked for validity. You will need to convince a
court of law that your evidence was not tampered with,
for example: MD5 hashes, stored in a safe place with
minimal people accessing, data not writable, etc.

3. I just installed Ethereal and am currently
capturing packets but am not really sure how to read
this or if there is any easier way to monitor all
things. ...And to actually know how to read it.

Ethereal is good for looking at the packets captured,
and it is mainly a preference issue, so I’m not going
to start a debate on that. However, grabbing all
packets can become very expensive w/ disk space, and
cumbersome to read. You may be better off looking
into a NIDS/HIDS system, like Snort and or Trip Wire
to alert you to possible malicious activity. They can
categorize potential threats by severity and likely
hood of success. Even though they WILL create false
positives(and possible false negatives) it is probably
a lot better then analyzing all packets and looking
for a needle in a hay stack, especially if you aren’t
familiar with this sort of thing.

4. Will I be able to retrieve ip addresses from
packets to match activity on my syslog and identify
rogue traffic?

Yes, assuming syslog is reporting it.

-----Original Message-----
From: Dana Rawson
[mailto:absolutezero273c@nzoomail.com]
Sent: Friday, December 26, 2003 2:22 PM
To: security-basics@securityfocus.com
Subject: compromised network

Not sure where to start except by saying that my
servers and router were compromised. Have locked down
both servers and routers (at least I have attempted to
do so) but what is the best way to verify that there
is nothing rogue left active on the servers? Also, is
there any legal action I should take (i.e. Do I alert
any authorities)? It appears that my network was
targeted by a server in california and individuals
from Australia, Netherlands and the US were connecting
using it as an ftp server. Was actually named
"Revenge Server".

I just installed Ethereal and am currently capturing
packets but am not really sure how to read this or if
there is any easier way to monitor all things. ...And
to actually know how to read it.

Will I be able to retrieve ip addresses from packets
to match activity on my syslog and identify rogue
traffic?

This is all new to me so I apologize if my questions
don't make sense or my approach is illogical.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: bob martin: "Best practices for a small business's security"

Previous message: Shawn Jackson: "RE: Firewall Hardware Recommendations"
Maybe in reply to: Dana Rawson: "compromised network"
Next in thread: Raoul Armfield: "RE: compromised network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Port 80 SYN flood-like behavior
... > were on the receiving end of such an attack a little over one month ago. ... > across a LARGE number of TCP servers. ... > SYN/ACK packets ... ... Traffic reflection off routers ...
(Incidents)
Re: what does "serialization" mean?
... many of these large servers are today dinosaurs. ... >> What part of Moore's law don't you understand? ... What part of Newtonian physics don't you understand? ... > fetched off disk. ...
(comp.programming)
Re: Likelihood of IT using a Packet Sniffer
... The connection will be encrypted, ... BananaVPN would EVER have to comply with ANY court order ... subscriptions to their U.S. servers. ... may introduce a law, during the 111th Congress, to make ...
(comp.security.firewalls)
Re: major DNS hiccup
... So it probably isn't in the answers your bind gives as long as ... have a checksum, I wondered if packets were being truncated somewhere. ... Truncated packets should show up as such: IP keeps a length and the NIC ... point resolv.conf at ntl's servers instead of 127.0.0.1, ...
(comp.unix.bsd.freebsd.misc)
Re: The network connection has failed - WHY?
... it can figure out packet loss - if packets are being dropped ... Media servers generally send data over UDP which has less error ... >> Basically the 'livedns.org.uk servers are not responding at all. ... >> Real Player, ...
(microsoft.public.windowsmedia)