RE: compromised network
From: Glenn Pearl (glennp_at_datasync.com)
Date: 12/29/03
- Previous message: Brian Dunbar: "Re: locked out of XP, need file access"
- In reply to: Dana Rawson: "compromised network"
- Next in thread: erisk: "Re: compromised network"
- Reply: erisk: "Re: compromised network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Dana Rawson'" <absolutezero273c@nzoomail.com>, <security-basics@securityfocus.com> Date: Mon, 29 Dec 2003 12:10:37 -0600
The only way to really know that your systems are clean is to start over
- reformat the hard drives, reinstall apps securely and restore data
from backup. Do not allow any access to the boxes until you have
completely locked them down.
I am in the process of teaching myself these very steps. I'm using
Windows 2000 and IIS 5, and working with the NSA Windows 2000 security
guides and policy templates in combination with Stefan Norberg's
"Securing Windows NT/2000 Servers for the Internet" (O'Reilly) and tons
of notes courtesy these Security Focus lists (thanks, everybody!) and
articles and Google. I'm also learning how to use scanning tools and
IDS such as nmap, nessus, snort, etc.
Legal action - I'm sure there are others on this list who are far more
helpful than I at answering that one. Personally, I wouldn't waste any
time with it or tracking the intruders via ethereal, and instead focus
on lessening the chance of such compromises in the future. Search the
list archives and GooGroups for info on firewalls, proxies, IDS...
Glenn Pearl
> -----Original Message-----
> From: Dana Rawson [mailto:absolutezero273c@nzoomail.com]
> Sent: Friday, December 26, 2003 1:22 PM
> To: security-basics@securityfocus.com
> Subject: compromised network
>
>
>
> Not sure where to start except by saying that my servers and router
were compromised. Have
> locked down both servers and routers (at least I have attempted to do
so) but what is the best
> way to verify that there is nothing rogue left active on the servers?
Also, is there any legal action
> I should take (i.e. Do I alert any authorities)? It appears that my
network was targeted by a
> server in california and individuals from Australia, Netherlands and
the US were connecting using
> it as an ftp server. Was actually named "Revenge Server".
>
>
>
> I just installed Ethereal and am currently capturing packets but am
not really sure how to read
> this or if there is any easier way to monitor all things. ...And to
actually know how to read it.
>
>
>
> Will I be able to retrieve ip addresses from packets to match activity
on my syslog and identify
> rogue traffic?
>
>
>
> This is all new to me so I apologize if my questions don't make sense
or my approach is illogical.
>
>
------------------------------------------------------------------------
--- > ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Brian Dunbar: "Re: locked out of XP, need file access"
- In reply to: Dana Rawson: "compromised network"
- Next in thread: erisk: "Re: compromised network"
- Reply: erisk: "Re: compromised network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
