|
Not to rub salt in the wound, but there is another aspect
of this intrusion that needs to be addressed (I see it missed
constantly).
When the server in question was compromised, what else on
the network was compromised??? If you believe your passwords and accounts could
have been compromised (and probably were), what other systems did they then move
on to? Don't think curiosity stops at the first target.
Think virus/trojan/backdoors on pcs, think
router/switch/firewall access possibly compromised (or worse, modified and your
access lost).
If you keep ANY passwords on the network (where are your
IMail passwords?????), store any auto-complete info on your systems (especially
the server in question), or do not have the screws locked down from within your
network- assume the problem could be network wide.
I know this sounds paranoid, but I have seen too many times
after something like this- a quick fix, a short period of active
monitoring...then a few weeks later BOOM. Back it comes with no understanding
how. that is usually a very bad day (worse than the first, because now you have
to do it all over again and more).
Things I like to do are: fix/rebuild what I can. Scan
EVERYTHING for possible viruses, backdoors or odd network traffic. Turn on heavy
logging on anything that has the ability. Change the passwords on EVERYTHING!
Remove all remote access for as long as possible (this includes wireless).
Monitor for any odd behavior (keep a good eye) for a long
while.
Then I setup the firewall as tight as I can get away with.
I alert on anything non-standard (IRC, TFTP, PROXY, etc). Especially anything
other than HTTP from the workstations and only the minimum necessary from the
server/s. Don't even allow outbound web from the
server.......
I would also monitor Internet search sites that might have
your IP or domain information posted, to let you know more about what happened
to you or if it is still active.
I have had clients go so far as to change their IP address
range with their ISP. This doesn't work so well, since mail/web/dns all point
back to your IP.
It's a bad thing to be hacked. Sometimes it is a simple web
defacement (script kiddies and no real compromise of sensitive data), sometimes
it is a full out compromise.
BTW, many web defacements (on fully patched Windows servers
with IIS Lockdown and URLScan) I have found to be a result of Front Page
Extension exploits. These are not patched as easy as going to windows update and
doing an auto-update. Many apps- SQL, IIS, etc require extra measures to
patch.
I have
found the best defense on some of these attacks, is a firewall that can do
IDS/IDP. At least then you can probably determine the exploit used to cause the
issue (both when it came in, and whatever goes out) and possibly stop it at the
border.
Good
luck.
Stan
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Matt
John,Sent: Tuesday, January 04, 2005 3:40 PM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] hacked by tugr@ There are thirty pages of sites, and the list is of course not exclusive to you. Your server was hacked, and now everything on it needs to be reviewed. This isn't going to be a case of patching a single piece of software and assuming that everything is secure. The hole that was exploited was only the initial point of entry, and these guys typically break down security in steps to eventually gain administrative access. I once ran L0pht Crack on my password hash and it found about 2/3 of the passwords on my server within a matter of a few minutes. It would have found 95% within a day, and everything within a week to a month using a 1.7 Ghz computer. Alphanumeric toggled case passwords are not enough. Since your server was exploited, I would consider every password on your server to be insecure, so even if you patched every last thing and took out all of the offending code, they might be able to just simply log in through the front door. I'm guessing that the defacement is repopulating itself by way of a startup script, probably located in your registry or autoexec.bat, but it could be elsewhere as well. Again, that's likely only the tip of the iceberg, so patch everything and employ better security. Matt john cesta wrote: Yea, Matt those are our sites at zone-h.org They don't have any info on the hack just who has it. Thanks John On Tue, 04 Jan 2005 14:51:59 -0500, Matt wrote:http://www.zone-h.org/en/defacements/filter/filter_defacer=tugr@/ Clean your computer carefully and close the holes (patch everything and change all passwords). You should consider using Microsoft's URLScan to prevent many IIS exploits, move all Internet accessible data off of the C partition, and block access to nonessential ports with a router. That combined with regular patching will prevent guys like this from hacking your site since they will find easier prey elsewhere and all they are looking for is an opportunity for defacement and not necessarily to deface you. Matt john cesta wrote:Has anyone heard of this one? What they do is to copy: index.php .cfm .htm .html .asp default.php .cfm .htm .html .asp to the root folder of every web site. I can't find much on it on the web. I thought I had figured it to be an old servu ftp server hack so I upgraded about 3 weeks ago but today upon reboot it happened again. I have a fully patched win2k server Thanks To Unsubscribe: http://www.ipswitch.com/support/mailing- lists.html List Archive: http://www.mail- archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ ===================================================== |
