Re: We've been compromised, now what...
From: rr (smrtalec@earthlink.net)Date: 05/28/02
- Next message: dr.emailposter: "Re: Flaw in router"
- Previous message: Axel Hammer: "Re: We've been compromised, now what..."
- In reply to: Nameless User: "We've been compromised, now what..."
- Next in thread: HC: "Re: We've been compromised, now what..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "rr" <smrtalec@earthlink.net> Date: Tue, 28 May 2002 20:43:42 GMT
.
>
> I also backed up all data (web site, data files, e-mail, etc.).
>
> Basically, where should I look to find out what this intruder is trying to
> do, has done, etc.? What should I look for on my system that are sure
> signs of an intruder? How can I prevent this intruder from gaining access
> to my system in the future (since he/she probably used the low level
> account to gain access to my system in other ways).
I'm no expert but with NT machines the trick is to find a route kit weakness
then set up an
account or entry that you can enter in at a later date. or they set up
services running in the background
for use as DOS Attacks. also look out for Back Orfice servers running. look
up bo2k.com. This is probable
the most useful post hack program because it installs from any user and
allows you to use the system as a router
and anything the user can do themselves. As far as how to clean it up. Lock
down your network with a firewall.
you should not be allowing any sort of login via the net unless it's via a
vpn that uses a call back. This was the user
has to verify their address before they login. Also lock out all outgoing
and incoming traffic. What does go through should be controlled using a
proxy. If you wish to catch you would be attacker set up a fake pdc in a
somewhat available portion of your network. then have a program like tekfact
(sorry no link) that will monitor everything that happens locally. and also
log every packet that goes to and fro. at the least you should be able to
trace back to a service provider and report the exploit. Keep in mind the
account being used to hack into your system is probable hacked also. hope I
helped.
As a future note when you set up your system get an old P100 and set it up
as a decoy PDC. I have done this in the past just to see what script kiddies
are doing. I'm guessing you points of entry would be via IIS, Exchange
server.and any netbui netbios ports that you may have had exposed to the
net. Patches alone is not the only way to stay hacker free most patches
are future exploits so also read hacker sites. lipe 2600 rootkit cert and
so forth.
- Next message: dr.emailposter: "Re: Flaw in router"
- Previous message: Axel Hammer: "Re: We've been compromised, now what..."
- In reply to: Nameless User: "We've been compromised, now what..."
- Next in thread: HC: "Re: We've been compromised, now what..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
