Re: compromised network

• Previous message: Lard van den Berg: "Re: compromised network"
• Maybe in reply to: Dana Rawson: "compromised network"
• Next in thread: Christos Gioran: "Re: compromised network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 29 Dec 2003 19:35:58 -0600
To: Dana Rawson <absolutezero273c@nzoomail.com>

Dana,

What the rest of the group has posted so far (12/29/2003- 1900 CST) has
been great and hopefully should show you that there are many things you can do.

What I am about to say might seem alarmist and could be construed as an
insult by some. It is neither and it is not my intention to do either.

I applaud you for your work thus far at locking down the nodes as best as
you can. Great job. As far as legal...you are too late. Unless you have
COMPLETELY documented EVERYTHING that you discovered and what you have done
to fix it along with having a complete image of the machines in a 'hacked'
state... your actual chances at a successful prosecution are gone. You
are obviously not a security expert. You need one to validate your changes
and HELP you (not do it for you while you are in another room and come back
and say it's done). IF your network and servers are valuable to you or
your business (assumed that they are) get the budget approval to get an
expert consultant to assist you.

You owe it to yourself. The time to learn is not in battle. Get
help. Once this situation is remediated, then start learning on the side.

Best of luck and let me know if I can help.

-J

At 13:21 12/26/2003, Dana Rawson wrote:

>Not sure where to start except by saying that my servers and router were
>compromised. Have locked down both servers and routers (at least I have
>attempted to do so) but what is the best way to verify that there is
>nothing rogue left active on the servers? Also, is there any legal action
>I should take (i.e. Do I alert any authorities)? It appears that my
>network was targeted by a server in california and individuals from
>Australia, Netherlands and the US were connecting using it as an ftp
>server. Was actually named "Revenge Server".
>
>I just installed Ethereal and am currently capturing packets but am not
>really sure how to read this or if there is any easier way to monitor all
>things. ...And to actually know how to read it.
>
>Will I be able to retrieve ip addresses from packets to match activity on
>my syslog and identify rogue traffic?
>
>This is all new to me so I apologize if my questions don't make sense or
>my approach is illogical.
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: Lard van den Berg: "Re: compromised network"
• Maybe in reply to: Dana Rawson: "compromised network"
• Next in thread: Christos Gioran: "Re: compromised network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]