lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: purdy at tecman.com (Curt Purdy)
Subject: [inbox] Reacting to a server compromise

Although the answer may be more in coming from an attorney than from a tech,
IMHO your legal responsibility is to inform both owner of the box as well as
victims.  As long as you show "best effort" in reporting you should be
allright.  But, particularly with medical victims that must conform to
HIPAA, there could be serious ramifications if you don't.

Keep in mind that it is trivial to find out it was that box, if
investigators from the victims/compromised patients decide to run it down.
That is why the cracker used that box to start with, so he couldn't be
tracked.  That box will be your best evidence for defense (hoping you had
enough sense not to reformat it.)

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions
cpurdy@...ol.com
936.637.7977 ext. 121

----------------------------------------

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- White House cybersecurity adviser Richard Clarke



-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Mark
Sent: Friday, August 01, 2003 10:39 PM
To: full-disclosure@...ts.netsys.com
Subject: [inbox] [Full-Disclosure] Reacting to a server compromise


Hello list,

      In light of the current state of the internet with the DCOM vuln, I
would like to ask for some advice on a situation I had at work.

A little while ago(but before the DCOM vuln was released) I had a Win2k
box hacked.  The box was outside our firewall, running minimal
services(ftp/www/smtp - gateway only) and was set to download/install
everything it could via Auto-updates.  Apparently I didn't reboot it
often enough for all of the updates to take effect.

Personally I really don't care how the hacker got in, as the box has now
been replaced with a hardened Linux server, and when the attacker had
control, they were still outside our firewall.  The attacker created a
user account with admin privs, installed a trojan, disabled all network
access to any users except this new account, and proceeded to hack other
vulnerable NT machines out on the net.  I found a list of about 100 IPs
with usernames and passwords that were either blank or the same as the
username.

My question is: Do I report this, and run the risk of the Feds charging
me because these attacks originated from my subnet?  Do I inform the
owners of the machines that were hacked that their systems have been
compromised? Judging from the usernames, some of these machines belonged
to doctors offices, and may contain sensitive information.  Or should I
just have a nice cup of STFU, and pretend nothing happened?

Before the flames start about how I'm such a lazy admin, I'd like you to
know that I'm a developer full-time for a small company with a small
budget and I manage the network with my "free" time.  Yes it was stupid
to stick a windows box out on the net without a firewall.  I tell people
all the time the same thing, maybe I'm just a sadist that likes watching
M$ boxes get hacked, I don't know.  But in that instance I really didn't
care.

I'd appreciate any comments anyone has....

Thanks,
Mark


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ