Re: compromised network
From: Christos Gioran (himicos_at_freemail.gr)
Date: 12/30/03
- Previous message: erisk: "Re: compromised network"
- In reply to: Dana Rawson: "compromised network"
- Next in thread: JM: "RE: compromised network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: security-basics@securityfocus.com Date: Tue, 30 Dec 2003 01:17:24 +0200
On Friday 26 December 2003 21:21, Dana Rawson wrote:
> Not sure where to start except by saying that my servers and router were
> compromised. Have locked down both servers and routers (at least I have
> attempted to do so) but what is the best way to verify that there is
> nothing rogue left active on the servers? Also, is there any legal action
Take off-line, format, reinstall from verified media and restore data from
sure-to-be-clean backups.
Your greatest problem right now is that you cannot trust your system. Any
binary can be (and probably has been) modified to a trojan version and even
the kernel itself (in the case of *nix) is prone to Loadable Kernel Modules
like adore. In the latter case, even if you use statically compiled binaries
from verified media, you cannot tell for sure what is going on in there. All
these are part of a good rootkit, a standard tool for any attacker.
Using a sniffer can reveal some info as you probably know what traffic is
normal for your network and anything beyond that is automatically suspicious
and should be looked into. If, for example, you notice lots of traffic to a
non-normally-used port, then probably "evil" processes are running and
accepting connections serving files or whatever. Note the IP of the serving
machine and investigate further. Tapping the network traffic should be done
from a certainly clean machine to be sure that what you see is true (refer to
the previous paragraph).
Document your actions and make sure no info is altered. All work should be
done in a system created as a mirror to the one originally infected. That is
because electronic evidence should not be tampered with in order to stand in
court and any modifications you make to access time of files etc make the
system even less useable.
Good Luck!
-- himicos --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: erisk: "Re: compromised network"
- In reply to: Dana Rawson: "compromised network"
- Next in thread: JM: "RE: compromised network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
