RE: HACKED - redLine - SaCReD Seer© 2006

Panda_man wrote:

"Sherdy" wrote:

We currently host about 30 odd servers various configurations, this is
the only server to have been affected.



What about rootkits already installed on the other servers by this
hacker... You can never be 100% sure that the others are not affected .

Nothing to comment. Obviously this computer wasn't protected enough.

You also say you have ports opened for the public . You should use at
least one router with NAT and SPI firewall protections and all ports
closed and stealth for the public . You can communicate with the
workstations in your corporationg but you should isolate your network from
the internet and this is done with the router.

This is called a DMZ...Why are you recommending him to use NAT? How is that
going to help him? By just hidding the IP? Security by obsurity is
dangerous to advise people to do...

Most companies also include
malware protection just behind the router so that they also protect the
gates before even entering any computer. Panda Software and Symantec both
offer good gate defenders which can scan for all kind of malware plus both
have intrustion prevention systems.

So if you had router with NAT and SPI and if you had a gate scanner
protecting your network for the outside world , you would not now worry
about this :)

How would that have helped him if the hack was done in the web application?
In fact, NAT would be useless...and maybe SPI also...

To sum up , I 'd like to offer you reinstall Windows on the affected
computer and on suspected one and then protect as much as possible with
things suggested above :)


He is better off looking at *what* is installed and how authentication is
being done. For example. What is the web application(s) he is running? How
are they authenticating? Via LDAP? Via a database? If a database SQL
injections must be looked at, etc, etc, etc.....


Imhotep
.

Relevant Pages

  • Re: IP Addressing
    ... Address of the ISA server? ... firewall and router). ... On the firewall create a static NAT entry as I wrote ...
    (comp.dcom.sys.cisco)
  • Re: WIndows server 2003 as router
    ... Since both subnets are private, I assume there is a router somewhere ... So you do not really need NAT on this server. ... address translation twice (once at your server and again at the NAT router). ...
    (microsoft.public.windows.server.networking)
  • Re: Fragmented Internet Connection
    ... my guess was wrong - you do have a double NAT issue. ... What you could do is eliminate the router - ie. enable NAT on the server ... With your current configuration, your router needs a static route to ... Double check the forwarders list on your DNS server. ...
    (microsoft.public.windows.server.networking)
  • Re: SBS2003R2 w/Term Server 2003
    ... Router is LinkSys RV042. ... One to One Nat is enabled. ... Are you saying that both the 246 public address and the 241 public address are assigned to the Linksys WAN port and then you're trying to somehow forward terminal services from 241 to the Term Server?? ...
    (microsoft.public.windows.server.sbs)
  • Re: Help for a secure Firewall
    ... > router with static NAT to a Linux Box Server. ... > Obviously with NAT I could build a web-server! ... > configure the router with NAT to my linux box (all ports,!? ... > Is Apache a danger used also as a Proxy server? ...
    (comp.security.firewalls)