RE: compromised network

From: Raoul Armfield (armfield_at_amnh.org)
Date: 12/29/03

  • Next message: Francisco Mário Ferreira Custódio: "RE: locked out of XP, need file access" 
    To: "'Dana Rawson'" <absolutezero273c@nzoomail.com>, <security-basics@securityfocus.com>
Date: Mon, 29 Dec 2003 12:30:04 -0500

    Best bet is to reinstall OS and software from known good media and
    restore data from backups

    Raoul

    :-----Original Message-----
    :From: Dana Rawson [mailto:absolutezero273c@nzoomail.com]
    :Sent: Friday, December 26, 2003 2:22 PM
    :To: security-basics@securityfocus.com
    :Subject: compromised network
    :
    :
    :
    :Not sure where to start except by saying that my servers and
    :router were compromised. Have locked down both servers and
    :routers (at least I have attempted to do so) but what is the
    :best way to verify that there is nothing rogue left active on
    :the servers? Also, is there any legal action I should take
    :(i.e. Do I alert any authorities)? It appears that my network
    :was targeted by a server in california and individuals from
    :Australia, Netherlands and the US were connecting using it as
    :an ftp server. Was actually named "Revenge Server".
    :
    :I just installed Ethereal and am currently capturing packets
    :but am not really sure how to read this or if there is any
    :easier way to monitor all things. ...And to actually know how
    :to read it.
    :
    :Will I be able to retrieve ip addresses from packets to match
    :activity on my syslog and identify rogue traffic?
    :
    :This is all new to me so I apologize if my questions don't
    :make sense or my approach is illogical.
    :
    :---------------------------------------------------------------
    :------------
    :---------------------------------------------------------------
    :-------------
    :
    :

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Francisco Mário Ferreira Custódio: "RE: locked out of XP, need file access"

    Relevant Pages

    • Re: Makes no sense to me?
      ... I am not sure what is first here the servers or the routers to the internet? ... Router A starting or IP is ... Reconfigure the NAT Devices to use the same IP Range on the Internal LAN ...
      (microsoft.public.win2000.networking)
    • Re: Deny access to certain IP address
      ... access to your network. ... the "guest" company and your own servers and computers. ... An easy way to do this would be to set-up a second broadband router on your ... and PC now get their addresses from the DHCP server in the new router. ...
      (microsoft.public.security)
    • Re: router causing strange DNS behaviour?
      ... there is something two hops earlier that is dropping packets for me. ... those internal only rogers name servers are 10 ... There are some other public access DNS ... >Moe's suggestion that I statically configure each client behind the router ...
      (comp.os.linux.networking)
    • Re: Cant browse across subnets
      ... Are there servers on both sides or just one side? ... allow list on the shop router. ... all computers can see shares and printers at their location just fine - ... All workstations can resolve all computernames via nslookup. ...
      (microsoft.public.windows.server.sbs)
    • Re: Very basic question
      ... as the router/leased line is managed by my telecoms provider (British ... it's a very large site with 30 Internet-facing servers. ... As this router has not been suplied with a firewal we have ...
      (microsoft.public.windows.server.networking)