RE: compromised network

["Yvan Boily" <yboily () seccuris com>]

The best way to respond in this case is related directly to how you wish to
respond to the attacker.

If you are planning to take legal action you should bring in outside help
for forensic analysis, and also for the investigative process; if you are
planning to involve the police then contact them and ask for advice from the
computer crimes division.

If you intend to respond to the incident yourself then you should decide
what you approach you want to take based on how you plan to approach the
incident.  Given that the nature of your post I would imagine you do not
have an incident response program in place.

If you intend to learn from the attack [highly recommended :)] then you
should make a copy of the affected hard drives before placing the systems
back into production.  If you have daily backups you may have more
information than you think ;)  I personally recommend replacing the drives
with new ones, but only because I *hate* making images of 120GB drives for
investigation ;)  If new hardware is not an option, simply use any number of
programs to extract all the data from the drives so that you can analyze it
at your leisure.

Once you have saved everything you need from the drives, or have new drives,
then reinstall your operating systems on each system.  Make sure that you
follow the appropriate measures to harden your systems.  

Hardening Checklists for Windows NT/2k/XP
http://www.nsa.gov/snac/index.html

Another issue to consider is what information was compromised; if you had
customer lists that were stolen, especially regarding CC info and what not
you should definitely consider aquiring legal assistance and notifying the
proper authorities.  You should also consider if any confidential or private
business materials could have been stolen, even such trivial things as
corporate letterheads can be used to damage your organizations reputation,
or to employ extremely effective social engineering tactics against
companies, customers and employees involved with your organization.
Depending on the level of information the attacker was able to gain and the
intentions of the attacker, you could be in for a rough ride.

Regards,

Yvan Boily



-----Original Message-----
From: Alvin Oga [mailto:alvin.sec () Virtual Linux-Consulting com] 
Sent: Monday, December 29, 2003 7:02 PM
To: Raoul Armfield
Cc: security-basics () securityfocus com
Subject: Re: compromised network


hi ya

> Best bet is to reinstall OS and software from known good media and 
> restore data from backups

i say ... resinstall is about the worst possible things to do

what you want to ( need/should ) do as you notice a hacked box ...
- you should know who hacked your box
- you should know how they got in
- you should know what other machines they attempted to break into
- you should know when they come in
- you should know who else has access to your box
- you should know why they got into your box
- you should know how to stop them from coming in again
- you should know when the 1st time they got in ... and how many times
  they got in

if you dont know any of the above, hire someone or find the security dude at
your isp and tell him your box at ip# 1.2.3.4 is hacked and they can answer
all of the above questions for you

after the seucrity dude says, they have all they need, than you can either
erase the disk and re-install and fix the hole and/or you have to leave the
machine alone as evidence for trail

c ya
alvin

---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------