Re: compromised network

From: Meritt James (meritt_james_at_bah.com)
Date: 12/31/03

  • Next message: Francisco Mário Ferreira Custódio: "RE: home wireless router good practices for security" 
    Date: Wed, 31 Dec 2003 10:01:40 -0500
To: erisk <erisk@iinet.net.au>

    I would not "flame", and while I would concur with your recommendation
    on the Incident Response plan I would hope that the "what to do legally"
    is either in that plan or handled by the "higher ups" in this case. In
    some instances there is an interest in legal persecution but in others
    there is not and recovery and hardening are the sole concerns and the
    legal route taken varies, along with the action taken.

    Jim

    erisk wrote:
    >
    > This might through some flame into the group but I would disagree with most
    > peoples responses here..
    >
    > Firstly do you have formailsed Incident respone plan? If so follow that to
    > the letter..Secondly you should, for legal reasons, contact a forensic
    > specialist to image the hard drives, capture packets etc, before wiping all
    > you data and consult him for further advice (if your company has the
    > budget). After this has been all then follow standard hardening
    > procedures...
    >
    > ----- Original Message -----
    > From: "Glenn Pearl" <glennp@datasync.com>
    > To: "'Dana Rawson'" <absolutezero273c@nzoomail.com>;
    > <security-basics@securityfocus.com>
    > Sent: Tuesday, December 30, 2003 2:10 AM
    > Subject: RE: compromised network
    >
    > > The only way to really know that your systems are clean is to start over
    > > - reformat the hard drives, reinstall apps securely and restore data
    > > from backup. Do not allow any access to the boxes until you have
    > > completely locked them down.
    > >
    > > I am in the process of teaching myself these very steps. I'm using
    > > Windows 2000 and IIS 5, and working with the NSA Windows 2000 security
    > > guides and policy templates in combination with Stefan Norberg's
    > > "Securing Windows NT/2000 Servers for the Internet" (O'Reilly) and tons
    > > of notes courtesy these Security Focus lists (thanks, everybody!) and
    > > articles and Google. I'm also learning how to use scanning tools and
    > > IDS such as nmap, nessus, snort, etc.
    > >
    > > Legal action - I'm sure there are others on this list who are far more
    > > helpful than I at answering that one. Personally, I wouldn't waste any
    > > time with it or tracking the intruders via ethereal, and instead focus
    > > on lessening the chance of such compromises in the future. Search the
    > > list archives and GooGroups for info on firewalls, proxies, IDS...
    > >
    > > Glenn Pearl
    > >
    > > > -----Original Message-----
    > > > From: Dana Rawson [mailto:absolutezero273c@nzoomail.com]
    > > > Sent: Friday, December 26, 2003 1:22 PM
    > > > To: security-basics@securityfocus.com
    > > > Subject: compromised network
    > > >
    > > >
    > > >
    > > > Not sure where to start except by saying that my servers and router
    > > were compromised. Have
    > > > locked down both servers and routers (at least I have attempted to do
    > > so) but what is the best
    > > > way to verify that there is nothing rogue left active on the servers?
    > > Also, is there any legal action
    > > > I should take (i.e. Do I alert any authorities)? It appears that my
    > > network was targeted by a
    > > > server in california and individuals from Australia, Netherlands and
    > > the US were connecting using
    > > > it as an ftp server. Was actually named "Revenge Server".
    > > >
    > > >
    > > >
    > > > I just installed Ethereal and am currently capturing packets but am
    > > not really sure how to read
    > > > this or if there is any easier way to monitor all things. ...And to
    > > actually know how to read it.
    > > >
    > > >
    > > >
    > > > Will I be able to retrieve ip addresses from packets to match activity
    > > on my syslog and identify
    > > > rogue traffic?
    > > >
    > > >
    > > >
    > > > This is all new to me so I apologize if my questions don't make sense
    > > or my approach is illogical.
    > > >
    > > >
    > > ------------------------------------------------------------------------
    > > ---
    > > >
    > > ------------------------------------------------------------------------
    > > ----
    > >
    > >
    > > --------------------------------------------------------------------------
    > -
    > > --------------------------------------------------------------------------
    > --
    > >
    > >
    >
    > ---------------------------------------------------------------------------
    > ---------------------------------------------------------------------------- 

    -- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Francisco Mário Ferreira Custódio: "RE: home wireless router good practices for security"