Re: compromised network

From: DT - Paulo Santos (psantos_at_ipiaget.net)
Date: 12/30/03

  • Next message: Simon and Sara Zuckerbraun: "RE: setting access restrictions on external drive" 
    To: Dana Rawson <absolutezero273c@nzoomail.com>
Date: Tue, 30 Dec 2003 10:43:35 +0000

    Hi Dana,

    The best way to verify that is nothing rogue left in your servers is to
    format/reinstal... But you may try somethings first.
    Audit your systems with nessus or some auditing tool of this kind.
    If everything looks 'normal' check for updates for your specific OS,
    install an IDS (snort with the acid frontend is a good example) and get
    a firewall in front of your servers. Try to minimize the risk...
    Read logs, Keep your servers OS updated and your firewall rules clean.

    Just my two cents...

    PS

    On Fri, 2003-12-26 at 19:21, Dana Rawson wrote:
    > Not sure where to start except by saying that my servers and router were compromised. Have locked down both servers and routers (at least I have attempted to do so) but what is the best way to verify that there is nothing rogue left active on the servers? Also, is there any legal action I should take (i.e. Do I alert any authorities)? It appears that my network was targeted by a server in california and individuals from Australia, Netherlands and the US were connecting using it as an ftp server. Was actually named "Revenge Server".
    >
    > I just installed Ethereal and am currently capturing packets but am not really sure how to read this or if there is any easier way to monitor all things. ...And to actually know how to read it.
    >
    > Will I be able to retrieve ip addresses from packets to match activity on my syslog and identify rogue traffic?
    >
    > This is all new to me so I apologize if my questions don't make sense or my approach is illogical.
    >
    > ---------------------------------------------------------------------------
    > ---------------------------------------------------------------------------- 

    -- 
Cumprimentos,
 
Paulo Santos
Divisão Tecnológica - Instituto Piaget
 
Tel: +351 212 946 278
E-mail: psantos@ipiaget.net
Web: http://www.ipiaget.net
 
Esta mensagem é destinada ao utilizador do e-mail somente, e poderá
conter informações que são de carácter CONFIDENCIAL. Se não é o
utilizador desse e-mail por favor fique notificado que a propagação
dessa informação é estritamente proibida. Se recebeu este e-mail por
problemas técnicos (erro) por favor envie-nos uma mensagem imediatamente
notificando do ocorrido e apague todas as cópias e anexos que faziam
parte da mensagem. Obrigado.
 
This message is intended only for the use of the Addressee and may
contain information that is CONFIDENTIAL.  If you are not the intended
recipient, you are hereby notified that any dissemination of this
communication is strictly prohibited.  If you have received this
communication in error, please notify us immediately and erase all
copies of the message and its attachments. Thank you.
___________________________________________
DT – A QUALIDADE É O NOSSO PRINCIPAL OBJECTIVO
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Simon and Sara Zuckerbraun: "RE: setting access restrictions on external drive"