lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: marklist at comcast.net (Mark)
Subject: Reacting to a server compromise


Jason Coombs wrote:
> Aloha,
> 
> Give the details to somebody in the tech media, or a colleague who you think
> is trustworthy.
> 
> Let them notify others who the alleged hacker penetrated.
> 
> We all know there was no hacker, you're just trying to make amends for the
> damage you've done to other people's computer systems and repent, putting an
> end to your malicious hacking career. ;-)
> 
> I'd be happy to accept your report and put in the time to notify everyone
> affected.
> 
> Or, just send the details to full-disclosure from an anonymous e-mail account
> like fulldisclosure@...holic.org

I appreciate all of the advice I've received so far, and from what it 
seems, I'm in quite a sticky situation.  I'm not 100% positive that the 
"cracker" compromised any systems from this box.  There is a txt file of 
about 100 IPs with admin usernames/passes which I don't think would be a 
good idea to post to a public list, especially a script-kiddie haven 
like FD.  I also know that the attacker performed a UDP flood on some 
poor sap.  Unfortunately for the attacker, we noticed this right away 
when the T1 router went bezerk.  I traced it back to that machine, not 
by sniffing, but through switch activity lights, so I don't know who 
that victim was.  I thought it was a faulty NIC, or a driver gone 
haywire, so I rebooted the box.  That's when I noticed that mIRC.exe was 
listening for remote commands, and a new admin account.

Judging from the date of the trojan files, they only had control for 2-3 
days, and I promptly installed zonealarm, a temporary fix until I could 
get the server replaced.

Anyway, the machine now sits happily in a corner, unplugged from the 
world, with the HD just how I left it.  Everything I deleted from the 
machine, aside from the cracker's admin acount, was copied off to a 
secure place.  Hopefully that will be enough if I get any inquries.  I 
will start with a report to CERT, and see where that goes.

Thanks again for all the help.

Mark

Powered by blists - more mailing lists