RE: Overwhelmed........

From: John R. Morris (jrmorrisat_private)
Date: Thu Jun 21 2001 - 16:49:40 PDT

Next message: Galitz: "A Paper on Rootkits"

Previous message: SmartHackers: "Probe for index server .ida"
In reply to: Mark Andrich: "Overwhelmed........"
Next in thread: Oliver Eckel: "RE: Overwhelmed........"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Except make that an "OpenBSD Box" :>. We did this when we had to have a IIS
web server, but needed real security.
OpenBSD Box configured as a firewall/router with SSH port forwarding. Good
books on this subject :
O'Reilly's SSH : The Secure Shell, and Building Linux and OpenBSD Firewalls.

Also might want to look into ACL on the router...

Sincerely,

John R. Morris


-----Original Message-----
From: Mark Andrich [mailto:MAndrichat_private]
Sent: Wednesday, June 20, 2001 2:49 PM
To: 'incidentsat_private'
Subject: Overwhelmed........


I just installed Snort on my IIS/Proxy server on Monday. On Tuesday I logged
255 alerts for the unicode exploit. A check of the log file revealed that
our server was attacking another server out on the internet. I've done the
following:

1. Blocked the packets at the router.
2. emailed the other server's admin to let him know what was going on.
(Haven't heard back)
3. Saved a copy of the Snort alert log (unfortunately, I didn't have TCPDump
logging enabled)
4. Combed through my IIS logs and found recent repeated attempts to request
sample, ftp, cgi, and other commonly exploited files (the logs only recorded
the local machine name and not the intruder's IP)
5. Combed the Event logs and found one or two questionable logins to remote
email.
6. Got a disk failure notice, ran chkdsk, and found orphaned files and
unknown allocated space. All deleted/fixed by the chkdsk program (goodbye
forsenics)

There have not been any unicode attempts since yesterday. From what I've
read I'm guessing that my machine was compromised and that the attacker put
some scripts on my machine to run these attacks. I'm also guessing that the
next thing to do, is to wipe the machine clean and re-install everything.
The only problem being having to restore the inetpub directory which may or
may not have been tampered with. So it's:

1. Reinstall from the ground up ensuring that all possible steps are taken
in terms of hardening the OS, following the available security checklists
and applying all necessary patches.

2. After that's complete, change all passwords including system accounts.

3. Continue in my efforts to get a NetBSD box set up between the router and
our Microsoft products.


Is there anything else anyone might suggest or any other options I haven't
explored? Am I thinking correctly? Anything else to look for?

Thanks,

Mark

Next message: Galitz: "A Paper on Rootkits"
Previous message: SmartHackers: "Probe for index server .ida"
In reply to: Mark Andrich: "Overwhelmed........"
Next in thread: Oliver Eckel: "RE: Overwhelmed........"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 18:08:11 PDT