RE: security advice

["Murda" <murdamcloud () bigpond com>]

Hey Edmund,
First and foremost I will commend your honesty. Unfortunately, the fear of
reprimand can often cloud this area so much that people begin lying to cover
themselves; which then means that resolutions are harder to achieve. This
candour is exactly what is needed when investigating and responding to an
incident. Also make sure you document everything you did and do(as much as
is reasonable).

I think you would still benefit from having an image of the machine
taken-even now. Is the server back in 'service' as before? You may even need
to check what other nodes it is connected to in order to widen the
investigation.

Maybe it was the firewall that let things in, maybe the attack was launched
from the inside(unwittingly or not). Lots of maybes at the moment. I hope
the email server was properly segregated from the rest of the network.

The fact is panic sets in and makes us do some weird things-it is normal.
Don't beat yourself up about that. Which is why having a plan in place
before these things happens really help. Mistakes are great to learn
from-often more so than getting things 'right'. 
(I'm an expert in how little I know and how numerous my mistakes sometimes
used to be. Ever tried pulling drives from a RAID without labeling their
order? Poured coffee on a backup tape? Left a laptop next to an open window
during a storm? Hit reset without saving a config?). I'm like the precedent
case that Murphy's Law usually refers to. The feeling of having my heart
sink like the Titanic is a great driver for improvement. In the Land of
Murphy, backup is often (not always) the magic lasrever spell. 

Maybe check out some books on incident response to give you some guidelines
for what to do next time(there's always a next time). I find that
apportioning blame is never quite as useful as assuming responsibility,
which you appear to have done.

Good luck.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Edmund
Sent: Tuesday, August 24, 2010 7:17 PM
To: security-basics () securityfocus com
Subject: security advice

Hi,

Just yesterday, I found out that my company's e-mail server had been
compromised.  This fact, for some reasons, didn't seem to be a 'big
deal' to others.  I'm still stunned; but, considering how lax I had
become, it shouldn't be surprising.  *sigh*

[story mode]
Basically, the incident started out with an innocuous "there is
something wrong with sending e-mail" from a co-worker.  I looked
at the e-mail server and everything seemed to be ok, so I decided
to check the firewall.  That's when I noticed it was running
very sluggish.  "Uh oh."

I couldn't figure out which program was making it go slow.  I
thought it was the proxy, but it wasn't.  I rebooted the
firewall.  It was ok, up until a certain point and that's
when it slowed down.  I tcpdump'd one ethernet nic, and
noticed a huge amount of packets being sent to a remote
site from my e-mail server.  (Capital UH OH)

Checking out the |ps ax| I noticed a very suspicious
file "./s <ip#>".  Immediately I knew someone had
accessed the system.  I started to become a little
panicky.  I searched for the './s' file.  Then looking
up online, I found that I could go into the /proc
filesystem and find the pid and then the exe will
be shown.  Found the full path.  Looking at the
files within the folder "/var/tmp/.b", it was
confirmed.

I shouldn't have done what I did next.  I killed
the running program and deleted the folder.  :(
In hindsight, I should have killed the program
and zipped up the darn folder for analysis.
I'm still regretting that move.  *banging head
on table*

Cleaned up a few extra items and it seems normal.
I ran 'rkhunter' and filled out the necessary
warnings it found.

[story mode off]

I'm still very reprimanding myself for being
so careless. This is one lesson that I gotta
have imprinted in my thick skull.

Anyway, given this lesson,  can someone offer
any methodologies/programs that I can use to
protect the company system?   I'm now going
through the firewall rules to find out what
holes the intruder might have entered through.

Thanks.

Ed

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------