Home page logo

basics logo Security Basics mailing list archives

Re: compromised network
From: H Carvey <keydet89 () yahoo com>
Date: 31 Dec 2003 17:08:15 -0000

In-Reply-To: <20031226192145.24860.qmail () sf-www1-symnsj securityfocus com>


First off, from what you've provided in your post, it doesn't seem at all that your network or your routers were 
compromised.  It sounds more as if your firewall rulesets were a bit lax, and someone was allowed access to systems on 
your network.

Not sure where to start except by saying that my servers and router were compromised. 

Again...what makes you think this?  You stated at the end of your post that this is all new to you, so it might be 
helpful if you could describe what it is that makes you think that your router was compromised, as well as your servers.

Have locked down both servers and routers (at least I have attempted to do so) but what is the best way to verify 
that there is nothing rogue left active on the servers?  

That question indicates that you aren't aware of what normal processes and activities occur on your systems.   After 
all, wouldn't you know what was "rogue", if you knew what *should* be there?  Anything active on a server is going to 
be running as a process...if you're familiar with normal processes on a system, and you've "locked them down", then you 
should be able to easily spot the rogue processes.

Also, is there any legal action I should take (i.e. Do I alert any authorities)? 

In the US, the Attorney General has mandated that a financial loss of $5000 must be demonstrated in order to involve 
the FBI.  In reality, that number is much higher.  

Even if you are in the US, you've already said that you've "locked down both servers and routers"...in essence, you've 
destroyed your crime scene.  

It appears that my network was targeted by a server in california and individuals from Australia, Netherlands and the 
US were connecting using it as an ftp server.  Was actually named "Revenge Server".

First off, servers don't target other systems.

Second, from what you've said, it would appear that someone installed this "Revenge Server" on at least one of your 
servers.  This begs the question, "how did someone on the outside have the level of access to your systems to install 

In the responses I've already seen in the list, there have been several suggestions to start fresh.  The reason you DO 
NOT want to do that right away is that you haven't tracked down the infection vector...how did the original bad guy get 
in and install this "Revenge Server"?  If you never determine the root cause and just start over, the incident is just 
going to happen again.

I just installed Ethereal and am currently capturing packets but am not really sure how to read this or if there is 
any easier way to monitor all things. ...And to actually know how to read it. 

Two things...

1.  I hate to be blunt about this, but if you don't know what you're doing, why are you doing it?

2.  Are you capturing packets of the "Revenge Server" being used by someone?  If so, why haven't you disabled it?  
Wouldn't that make sense?

Will I be able to retrieve ip addresses from packets to match activity on my syslog and identify rogue traffic?

To the first part of your question, yes.  To the rest of it...what?  First off, do you *have* syslog?  Second, is it 
being stored anywhere?  Third, of what use would syslog be if you already have the packet captures?

In order to provide the assistance you're looking for, a lot more information is needed.  I don't really have much of 
an idea of why you (or anyone else who responded) felt that law enforcement would provide any benefit in a situation 
like this.  After all, mucking about with the systems is bad enough, but blowing the systems away and then calling the 
LEOs...what "evidence" would they have at that point?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]