-----Original Message----- From: Oliver Eckel [mailto:oliver-eckelat_private] Sent: Friday, June 22, 2001 7:11 PM To: 'Mark Andrich' Subject: RE: Overwhelmed........ It can also be that someone is using your proxy to cover his tracks. If you look at tools like unisploit, then youll see that it has settings for a proxy. It depends how well your proxy is configured. Oliver Eckel CSO Trustafrica.com -----Original Message----- From: Mark Andrich [mailto:MAndrichat_private] Sent: Wednesday, June 20, 2001 9:49 PM To: 'incidentsat_private' Subject: Overwhelmed........ I just installed Snort on my IIS/Proxy server on Monday. On Tuesday I logged 255 alerts for the unicode exploit. A check of the log file revealed that our server was attacking another server out on the internet. I've done the following: 1. Blocked the packets at the router. 2. emailed the other server's admin to let him know what was going on. (Haven't heard back) 3. Saved a copy of the Snort alert log (unfortunately, I didn't have TCPDump logging enabled) 4. Combed through my IIS logs and found recent repeated attempts to request sample, ftp, cgi, and other commonly exploited files (the logs only recorded the local machine name and not the intruder's IP) 5. Combed the Event logs and found one or two questionable logins to remote email. 6. Got a disk failure notice, ran chkdsk, and found orphaned files and unknown allocated space. All deleted/fixed by the chkdsk program (goodbye forsenics) There have not been any unicode attempts since yesterday. From what I've read I'm guessing that my machine was compromised and that the attacker put some scripts on my machine to run these attacks. I'm also guessing that the next thing to do, is to wipe the machine clean and re-install everything. The only problem being having to restore the inetpub directory which may or may not have been tampered with. So it's: 1. Reinstall from the ground up ensuring that all possible steps are taken in terms of hardening the OS, following the available security checklists and applying all necessary patches. 2. After that's complete, change all passwords including system accounts. 3. Continue in my efforts to get a NetBSD box set up between the router and our Microsoft products. Is there anything else anyone might suggest or any other options I haven't explored? Am I thinking correctly? Anything else to look for? Thanks, Mark
This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 20:00:25 PDT