RE: compromised network

From: Yvan Boily (yboily_at_seccuris.com)
Date: 12/30/03

  • Next message: Adam Hawliczek: "Re: locked out of XP, need file access" 
    To: <security-basics@securityfocus.com>
Date: Tue, 30 Dec 2003 14:29:16 -0600

    The best way to respond in this case is related directly to how you wish to
    respond to the attacker.

    If you are planning to take legal action you should bring in outside help
    for forensic analysis, and also for the investigative process; if you are
    planning to involve the police then contact them and ask for advice from the
    computer crimes division.

    If you intend to respond to the incident yourself then you should decide
    what you approach you want to take based on how you plan to approach the
    incident. Given that the nature of your post I would imagine you do not
    have an incident response program in place.

    If you intend to learn from the attack [highly recommended :)] then you
    should make a copy of the affected hard drives before placing the systems
    back into production. If you have daily backups you may have more
    information than you think ;) I personally recommend replacing the drives
    with new ones, but only because I *hate* making images of 120GB drives for
    investigation ;) If new hardware is not an option, simply use any number of
    programs to extract all the data from the drives so that you can analyze it
    at your leisure.

    Once you have saved everything you need from the drives, or have new drives,
    then reinstall your operating systems on each system. Make sure that you
    follow the appropriate measures to harden your systems.

    Hardening Checklists for Windows NT/2k/XP
    http://www.nsa.gov/snac/index.html

    Another issue to consider is what information was compromised; if you had
    customer lists that were stolen, especially regarding CC info and what not
    you should definitely consider aquiring legal assistance and notifying the
    proper authorities. You should also consider if any confidential or private
    business materials could have been stolen, even such trivial things as
    corporate letterheads can be used to damage your organizations reputation,
    or to employ extremely effective social engineering tactics against
    companies, customers and employees involved with your organization.
    Depending on the level of information the attacker was able to gain and the
    intentions of the attacker, you could be in for a rough ride.

    Regards,

    Yvan Boily

    -----Original Message-----
    From: Alvin Oga [mailto:alvin.sec@Virtual.Linux-Consulting.com]
    Sent: Monday, December 29, 2003 7:02 PM
    To: Raoul Armfield
    Cc: security-basics@securityfocus.com
    Subject: Re: compromised network

    hi ya

    > Best bet is to reinstall OS and software from known good media and
    > restore data from backups

    i say ... resinstall is about the worst possible things to do

    what you want to ( need/should ) do as you notice a hacked box ...
    - you should know who hacked your box
    - you should know how they got in
    - you should know what other machines they attempted to break into
    - you should know when they come in
    - you should know who else has access to your box
    - you should know why they got into your box
    - you should know how to stop them from coming in again
    - you should know when the 1st time they got in ... and how many times
      they got in

    if you dont know any of the above, hire someone or find the security dude at
    your isp and tell him your box at ip# 1.2.3.4 is hacked and they can answer
    all of the above questions for you

    after the seucrity dude says, they have all they need, than you can either
    erase the disk and re-install and fix the hole and/or you have to leave the
    machine alone as evidence for trail

    c ya
    alvin

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Adam Hawliczek: "Re: locked out of XP, need file access"

    Relevant Pages

    • Re: GELI - disk encryption for FreeBSD - review request.
      ... > his data against any attacker. ... This will give us 8kB sector size, ... even laptop drives often exceed that limit. ... > safe for TB storage? ...
      (sci.crypt)
    • Re: Yet another example - Disney teacups fight
      ... If you read the full article, you will see that the incident actually ... and they at first let the woman attacker go ... A mugshot wasn't necessary. ... The reporters knew all the facts, ...
      (rec.roller-coaster)
    • Thread "Port 113 requests?"
      ... attacker gets from an RST, this issue has veered out of the focus of ... ARIS Incident Analyst ... For more information on this free incident handling, ...
      (Incidents)
    • Re: Recreation Scuba Issues
      ... Someone's daughter was there during that incident, unarmed, unprotected, ... unable to do anything but count on the benevolence of the attacker. ... what is the toll in the US this week? ...
      (rec.scuba)
    • Re: Recreation Scuba Issues
      ... Someone's daughter was there during that incident, unarmed, unprotected, ... unable to do anything but count on the benevolence of the attacker. ...
      (rec.scuba)