Re: We've been compromised, now what...
From: Dazza (cashdj@hotmail.com)Date: 05/29/02
- Next message: RCC: "Re: We've been compromised, now what..."
- Previous message: chris@nospam.com: "Re: We've been compromised, now what..."
- In reply to: Nameless User: "We've been compromised, now what..."
- Next in thread: Jeff Cochran: "Re: We've been compromised, now what..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: cashdj@hotmail.com (Dazza) Date: Wed, 29 May 2002 04:28:59 GMT
On Tue, 28 May 2002 19:51:09 GMT, a rather disgusting and pathetic
creature named Archangel was seen shoving live gerbils down his own
underpants, while Nameless User <notvalid@notvalid.com> giggled and
pointed at him.
>Hello,
>
>Our organization has a small network with fewer than 30 clients, one pdc,
>and one bdc. There are about 20 accounts. The pdc running WinNT 4 Server
>is also a web server (iis 4) and the bdc running WinNT 4 Server is also an
>exchange 5.5 server. I was almost completely patched at the time of the
>attack, only missing items from mid-April (and I fully patched it after I
>detected an intrusion).
Read the following document, and you will see how easy it was for an
intruder to gather information about your users etc.
http://newdata.box.sk/2000b/wardoc.zip
Having the latest patches doesn't mean squat IF the system isn't
configured properly for security in the first place.
>The attacker got a list of users first (all the users from the user
>manager and also a list of computer names) and then proceeded to test each
>user's account for weak passwords (one successful attempt). This account
>was one of my least trusted accounts (in terms of privileges), but I'm
>guessing that doesn't matter.
See the above NT Wardoc text.
>Three days later I noticed this and changed the weak password. But I'm
>assuming this isn't the end of this problem...
Not unless you increase security ASAP.
>
>I have noticed a large increase in the number of IUSR_compname entries in
>the event viewer for my pdc, and a few for my bdc. Is this to be
>expected?
>
>I am trying to lock everything down, what can I do at this point (aside
>from starting everything from scratch).
Unless you *know* that you definitely haven't been cracked, I would
suggest rebuilding that server from the beginning.
>
>I have been going through the iis logs on my pdc and haven't found
>anything out of the ordinary (aside from the usual attempts to find
>.exe's, etc. which all result in 404 or 500).
>
>I am planning on forcing a password change for every user as well.
You should already have done this, right after you found out.
>
>I ran two different virus scans, both had positive results.
>
>I ran Steve Gibson's probe test and didn't see anything out of the
>ordinary.
>
>I also backed up all data (web site, data files, e-mail, etc.).
>
>Basically, where should I look to find out what this intruder is trying to
>do, has done, etc.? What should I look for on my system that are sure
>signs of an intruder? How can I prevent this intruder from gaining access
>to my system in the future (since he/she probably used the low level
>account to gain access to my system in other ways).
You should understand DMZ's (ie how they work and what they do), use a
good firewall, don't expose a PDC to the outside world unnecessarily
(nor an internal network for that matter), enforce a strong password
policy, use a separate box for IIS, and keep it in the DMZ, learn
about security tools, and keep up-to-date with the latest security
news.
Some links which may be of interest are:
http://www.cit.cornell.edu/computer/security/iis/
http://online.securityfocus.com/infocus/1312
http://www.microsoft.com/serviceproviders/whitepapers/iis_security_P73766.asp
http://www-csi.fnal.gov/talks/securingiis-10302001/default_files/frame.htm
Hope this helps.
Dazz
>Thanks all.
>
>- Name Withheld
God in a dustbin
Means faith can be anything
What does it take to replace
All those simple things?
God In A Dustbin - Falling Joys
- Next message: RCC: "Re: We've been compromised, now what..."
- Previous message: chris@nospam.com: "Re: We've been compromised, now what..."
- In reply to: Nameless User: "We've been compromised, now what..."
- Next in thread: Jeff Cochran: "Re: We've been compromised, now what..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
