RE: Overwhelmed........

From: John R. Morris (jrmorrisat_private)
Date: Thu Jun 21 2001 - 16:49:40 PDT

  • Next message: Galitz: "A Paper on Rootkits"

    Except make that an "OpenBSD Box" :>. We did this when we had to have a IIS
    web server, but needed real security.
    OpenBSD Box configured as a firewall/router with SSH port forwarding. Good
    books on this subject :
    O'Reilly's SSH : The Secure Shell, and Building Linux and OpenBSD Firewalls.
    
    Also might want to look into ACL on the router...
    
    Sincerely,
    
    John R. Morris
    
    
    -----Original Message-----
    From: Mark Andrich [mailto:MAndrichat_private]
    Sent: Wednesday, June 20, 2001 2:49 PM
    To: 'incidentsat_private'
    Subject: Overwhelmed........
    
    
    I just installed Snort on my IIS/Proxy server on Monday. On Tuesday I logged
    255 alerts for the unicode exploit. A check of the log file revealed that
    our server was attacking another server out on the internet. I've done the
    following:
    
    1. Blocked the packets at the router.
    2. emailed the other server's admin to let him know what was going on.
    (Haven't heard back)
    3. Saved a copy of the Snort alert log (unfortunately, I didn't have TCPDump
    logging enabled)
    4. Combed through my IIS logs and found recent repeated attempts to request
    sample, ftp, cgi, and other commonly exploited files (the logs only recorded
    the local machine name and not the intruder's IP)
    5. Combed the Event logs and found one or two questionable logins to remote
    email.
    6. Got a disk failure notice, ran chkdsk, and found orphaned files and
    unknown allocated space. All deleted/fixed by the chkdsk program (goodbye
    forsenics)
    
    There have not been any unicode attempts since yesterday. From what I've
    read I'm guessing that my machine was compromised and that the attacker put
    some scripts on my machine to run these attacks. I'm also guessing that the
    next thing to do, is to wipe the machine clean and re-install everything.
    The only problem being having to restore the inetpub directory which may or
    may not have been tampered with. So it's:
    
    1. Reinstall from the ground up ensuring that all possible steps are taken
    in terms of hardening the OS, following the available security checklists
    and applying all necessary patches.
    
    2. After that's complete, change all passwords including system accounts.
    
    3. Continue in my efforts to get a NetBSD box set up between the router and
    our Microsoft products.
    
    
    Is there anything else anyone might suggest or any other options I haven't
    explored? Am I thinking correctly? Anything else to look for?
    
    Thanks,
    
    Mark
    



    This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 18:08:11 PDT