Re: Am I hacked?

From: Allan Sabiski (allansNOSPAMPLEASE_at_ics-limited.com)
Date: 08/27/04 

Date: Fri, 27 Aug 2004 10:30:03 -0400

I hate to be the bearer of bad tidings, but depending on your security, your
entire network may be suspect at this point. You may want to look a bit at
your client computers also.

Allan
"John" <john@nospam.infovis.co.uk> wrote in message
news:u$Q%236y9iEHA.2436@TK2MSFTNGP09.phx.gbl...
> I need to run this server for one more day. There is only one server in
the
> network and the organisation has to get by on the Friday. Any tasks that
> look suspicious?
>
> Thanks
>
> Regards
>
>
> "Marina Roos [SBS-MVP]" <marina@roos.nodontwantspam.nl.com> wrote in
message
> news:etxc8k9iEHA.3016@tk2msftngp13.phx.gbl...
> > John,
> >
> > Disconnect that server from the internet NOW!
> >
> > --
> > Regards,
> >
> > Marina
> > Microsoft SBS-MVP
> >
> > "John" <john@nospam.infovis.co.uk> schreef in bericht
> > news:eckhch9iEHA.356@tk2msftngp13.phx.gbl...
> > > Here is the list of tasks running on the server;
> > > http://www.infovis.biz/bad%20task.jpg. While I am preparing to flatten
> the
> > > server, anything I can/should get rid of?
> > >
> > > Thanks
> > >
> > > Regards
> > >
> > >
> > > "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
<sbradcpa@pacbell.net>
> > > wrote in message news:uuziaq8iEHA.3564@TK2MSFTNGP10.phx.gbl...
> > > > You could have a Rootkit installed.
> > > >
> > > > You can't assure yourself that all has been cleaned off
> > > >
> > > > Help: I Got Hacked. Now What Do I Do? - Microsoft TechNet: Security
> > > > Management Column:
> > > >
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
> > > >
> > > > So, you didn't patch the system and it got hacked. What to do? Well,
> > > > let's see:
> > > >
> > > > . You can't clean a compromised system by patching it. Patching only
> > > > removes the vulnerability. Upon getting into your system, the
attacker
> > > > probably ensured that there were several other ways to get back in.
> > > >
> > > > . You can't clean a compromised system by removing the back doors.
You
> > > > can never guarantee that you found all the back doors the attacker
put
> > > > in. The fact that you can't find any more may only mean you don't
know
> > > > where to look, or that the system is so compromised that what you
are
> > > > seeing is not actually what is there.
> > > >
> > > > . You can't clean a compromised system by using some "vulnerability
> > > > remover." Let's say you had a system hit by Blaster. A number of
> vendors
> > > > (including Microsoft) published vulnerability removers for Blaster.
> Can
> > > > you trust a system that had Blaster after the tool is run? I
wouldn't.
> > > > If the system was vulnerable to Blaster, it was also vulnerable to a
> > > > number of other attacks. Can you guarantee that none of those have
> been
> > > > run against it? I didn't think so.
> > > >
> > > > . You can't clean a compromised system by using a virus scanner. To
> tell
> > > > you the truth, a fully compromised system can't be trusted. Even
virus
> > > > scanners must at some level rely on the system to not lie to them.
If
> > > > they ask whether a particular file is present, the attacker may
simply
> > > > have a tool in place that lies about it. Note that if you can
> guarantee
> > > > that the only thing that compromised the system was a particular
virus
> > > > or worm and you know that this virus has no back doors associated
with
> > > > it, and the vulnerability used by the virus was not available
> remotely,
> > > > then a virus scanner can be used to clean the system. For example,
the
> > > > vast majority of e-mail worms rely on a user opening an attachment.
In
> > > > this particular case, it is possible that the only infection on the
> > > > system is the one that came from the attachment containing the worm.
> > > > However, if the vulnerability used by the worm was available
remotely
> > > > without user action, then you can't guarantee that the worm was the
> only
> > > > thing that used that vulnerability. It is entirely possible that
> > > > something else used the same vulnerability. In this case, you can't
> just
> > > > patch the system.
> > > >
> > > > . You can't clean a compromised system by reinstalling the operating
> > > > system over the existing installation. Again, the attacker may very
> well
> > > > have tools in place that tell the installer lies. If that happens,
the
> > > > installer may not actually remove the compromised files. In
addition,
> > > > the attacker may also have put back doors in non-operating system
> > > > components.
> > > >
> > > > . You can't trust any data copied from a compromised system. Once an
> > > > attacker gets into a system, all the data on it may be modified. In
> the
> > > > best-case scenario, copying data off a compromised system and
putting
> it
> > > > on a clean system will give you potentially untrustworthy data. In
the
> > > > worst-case scenario, you may actually have copied a back door hidden
> in
> > > > the data.
> > > >
> > > > . You can't trust the event logs on a compromised system. Upon
gaining
> > > > full access to a system, it is simple for an attacker to modify the
> > > > event logs on that system to cover any tracks. If you rely on the
> event
> > > > logs to tell you what has been done to your system, you may just be
> > > > reading what the attacker wants you to read.
> > > >
> > > > . You may not be able to trust your latest backup. How can you tell
> when
> > > > the original attack took place? The event logs cannot be trusted to
> tell
> > > > you. Without that knowledge, your latest backup is useless. It may
be
> a
> > > > backup that includes all the back doors currently on the system.
> > > >
> > > > . The only way to clean a compromised system is to flatten and
> rebuild.
> > > > That's right. If you have a system that has been completely
> compromised,
> > > > the only thing you can do is to flatten the system (reformat the
> system
> > > > disk) and rebuild it from scratch (reinstall Windows and your
> > > > applications). Alternatively, you could of course work on your
resume
> > > > instead, but I don't want to see you doing that.
> > > >
> > > >
> > > > This list makes patching look not so bad, yes? We may hate patches,
> but
> > > > the alternative is decidedly worse.
> > > >
> > > > The topic for the next article is still up to debate. If you have
> ideas,
> > > > comments or feedback of any kind, as always you may click the
"Contact
> > > > Us" link below and tell me.
> > > >
> > > >
> > > >
> > > > Marina Roos [SBS-MVP] wrote:
> > > > > Hi John,
> > > > >
> > > > > Forget it. Your data can't be trusted anyway. You first of all
close
> > > that
> > > > > ftp server and close port 20 and 21 inbound right now! You should
> have
> > > done
> > > > > that already.
> > > > > You won't be able to find out what has been installed. Start from
> > > scratch,
> > > > > you can't trust that box anymore.
> > > > >
> > > >
> > > > --
> > > > http://www.sbslinks.com/really.htm
> > > >
> > >
> > >
> >
> >
>
>