lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
From: marklist at comcast.net (Mark) Subject: Reacting to a server compromise Jason Coombs wrote: > Aloha, > > Give the details to somebody in the tech media, or a colleague who you think > is trustworthy. > > Let them notify others who the alleged hacker penetrated. > > We all know there was no hacker, you're just trying to make amends for the > damage you've done to other people's computer systems and repent, putting an > end to your malicious hacking career. ;-) > > I'd be happy to accept your report and put in the time to notify everyone > affected. > > Or, just send the details to full-disclosure from an anonymous e-mail account > like fulldisclosure@...holic.org I appreciate all of the advice I've received so far, and from what it seems, I'm in quite a sticky situation. I'm not 100% positive that the "cracker" compromised any systems from this box. There is a txt file of about 100 IPs with admin usernames/passes which I don't think would be a good idea to post to a public list, especially a script-kiddie haven like FD. I also know that the attacker performed a UDP flood on some poor sap. Unfortunately for the attacker, we noticed this right away when the T1 router went bezerk. I traced it back to that machine, not by sniffing, but through switch activity lights, so I don't know who that victim was. I thought it was a faulty NIC, or a driver gone haywire, so I rebooted the box. That's when I noticed that mIRC.exe was listening for remote commands, and a new admin account. Judging from the date of the trojan files, they only had control for 2-3 days, and I promptly installed zonealarm, a temporary fix until I could get the server replaced. Anyway, the machine now sits happily in a corner, unplugged from the world, with the HD just how I left it. Everything I deleted from the machine, aside from the cracker's admin acount, was copied off to a secure place. Hopefully that will be enough if I get any inquries. I will start with a report to CERT, and see where that goes. Thanks again for all the help. Mark
Powered by blists - more mailing lists