Full Disclosure mailing list archives
Re: Reacting to a server compromise
From: Mark <marklist () comcast net>
Date: Sat, 02 Aug 2003 22:00:06 -0600
Jason Coombs wrote:
Aloha, Give the details to somebody in the tech media, or a colleague who you think is trustworthy. Let them notify others who the alleged hacker penetrated. We all know there was no hacker, you're just trying to make amends for the damage you've done to other people's computer systems and repent, putting an end to your malicious hacking career. ;-) I'd be happy to accept your report and put in the time to notify everyone affected. Or, just send the details to full-disclosure from an anonymous e-mail account like fulldisclosure () catholic org
I appreciate all of the advice I've received so far, and from what it seems, I'm in quite a sticky situation. I'm not 100% positive that the "cracker" compromised any systems from this box. There is a txt file of about 100 IPs with admin usernames/passes which I don't think would be a good idea to post to a public list, especially a script-kiddie haven like FD. I also know that the attacker performed a UDP flood on some poor sap. Unfortunately for the attacker, we noticed this right away when the T1 router went bezerk. I traced it back to that machine, not by sniffing, but through switch activity lights, so I don't know who that victim was. I thought it was a faulty NIC, or a driver gone haywire, so I rebooted the box. That's when I noticed that mIRC.exe was listening for remote commands, and a new admin account.
Judging from the date of the trojan files, they only had control for 2-3 days, and I promptly installed zonealarm, a temporary fix until I could get the server replaced.
Anyway, the machine now sits happily in a corner, unplugged from the world, with the HD just how I left it. Everything I deleted from the machine, aside from the cracker's admin acount, was copied off to a secure place. Hopefully that will be enough if I get any inquries. I will start with a report to CERT, and see where that goes.
Thanks again for all the help. Mark _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [inbox] Re: Reacting to a server compromise, (continued)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 03)
- Re: [inbox] Re: Reacting to a server compromise Gaurav Kumar (Aug 03)
- Re: Reacting to a server compromise Alexandre Dulaunoy (Aug 03)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 04)
- Re: Reacting to a server compromise David Hayes (Aug 05)
- Re: Reacting to a server compromise Ron DuFresne (Aug 05)
- Re: Hard drive images Craig Pratt (Aug 05)
- RE: [inbox] Re: Hard drive images Curt Purdy (Aug 05)
- Re: Hard drive images ldreamer (Aug 05)
- Re: Hard drive images madsaxon (Aug 05)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 03)
- Re: Re: Reacting to a server compromise morning_wood (Aug 03)
- Re: Re: Reacting to a server compromise manohar singh (Aug 03)
- Re: Reacting to a server compromise James A. Cox (Aug 03)
- Re: Re: Reacting to a server compromise Frank Bruzzaniti (Aug 04)
- RE: Re: Reacting to a server compromise Ron DuFresne (Aug 04)
- RE: Re: Reacting to a server compromise security snot (Aug 04)
- SV: Re: Reacting to a server compromise martin scherer (Aug 04)
- RE: Re: Reacting to a server compromise madsaxon (Aug 04)