RE: compromised network

From: JM (jm_at_mindless.com)
Date: 12/30/03

Next message: Alessandro: "Re: Best practices for a small business's security"

Previous message: Naren - Pactech: "RE: Firewall Hardware Recommendations"
In reply to: Dana Rawson: "compromised network"
Next in thread: DT - Paulo Santos: "Re: compromised network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Dana Rawson'" <absolutezero273c@nzoomail.com>, <security-basics@securityfocus.com>
Date: Tue, 30 Dec 2003 13:33:12 -0000

The only way to be 100% is to completely start from scratch again.

Not the ideal solution I know, but then you can be confident that everything
is clean.

If this is not an option, scan for viruses, malware, adware, trojans etc.
But if I had a good backup, I would start again.

Do you know how everything got compromised? When starting again, make sure
you don't make the same mistakes. i.e. turn off that ms ftp server!

-----Original Message-----
From: Dana Rawson [mailto:absolutezero273c@nzoomail.com]
Sent: 26 December 2003 19:22
To: security-basics@securityfocus.com
Subject: compromised network

Not sure where to start except by saying that my servers and router were
compromised. Have locked down both servers and routers (at least I have
attempted to do so) but what is the best way to verify that there is nothing
rogue left active on the servers? Also, is there any legal action I should
take (i.e. Do I alert any authorities)? It appears that my network was
targeted by a server in california and individuals from Australia,
Netherlands and the US were connecting using it as an ftp server. Was
actually named "Revenge Server".

I just installed Ethereal and am currently capturing packets but am not
really sure how to read this or if there is any easier way to monitor all
things. ...And to actually know how to read it.

Will I be able to retrieve ip addresses from packets to match activity on my
syslog and identify rogue traffic?

This is all new to me so I apologize if my questions don't make sense or my
approach is illogical.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Alessandro: "Re: Best practices for a small business's security"

Previous message: Naren - Pactech: "RE: Firewall Hardware Recommendations"
In reply to: Dana Rawson: "compromised network"
Next in thread: DT - Paulo Santos: "Re: compromised network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: FTP and ISA setup
... Please follow the instruction described on the following KB to enable external clients to access your FTP server. ... Local port: Fixed port ... Change the EnablePortAttack value to 1. ...
(microsoft.public.windows.server.sbs)
Re: Is this a 3-Leg Perimeter scenario?
... Do you mean the FTP server is hosted on the ... This newsgroup only focuses on SBS technical issues. ... The detailed network diagram. ...
(microsoft.public.windows.server.sbs)
Re: Microsoft FTP Server problem on W2K?
... client (rather than another server, as in proxy transfer), the IP address ... port) currently in use on the control connection. ... >the remote FTP server was, at least at a TCP level, prepared to accept the ...
(microsoft.public.inetserver.iis.security)
Re: How to develop FTP Server On PPC?
... FTP server due to licensing restrictions. ... the server portions (there's no FTP client to my knowledge on CE), ... © 2003 Microsoft Corporation. ...
(microsoft.public.windowsce.embedded.vc)
Re: Security Problem...
... This has happened before on other installations of ... I checked the IIS web server and FTP server logs and the only IP address is ... As far as my Firewall logs, ...
(microsoft.public.security)