Hacked systems and the law
Dustin Decker
dustind at moon-lite.com
Tue Apr 22 18:31:21 CDT 2003
On Tue, 22 Apr 2003, Bradley Miller wrote:
> One thing that I'm currently looking at is Snort and ACID for my next
> system. I found some very good installation articles on both products,
> with Webmin. I might need some adjusting for the Debian install, but those
> look like solid products to become a little offensive with my secuirty.
Given that your new box(s) will be hosted at NetStandard, you might
already have someone watching your traffic for you. I'd ask them about
it, or find out if it's a value-add service you have to pay for. (I know
they have snort working extensively on their network.)
I don't think I would suggest running snort _on_ your production boxes.
It will work, but it's really not what it was designed for. In addition,
spend some time getting familiar with the "current" signature base, as
well as learning how to write custom signatures of your own. This is
analogous to writing your own anti-virus signatures so some extent - but
more complex as you're working with the network layer.
And - just in case you don't already know, versions of snort < 2.0 have a
root vulnerability exploit making the rounds. Make sure it's patched.
Just to throw my $0.02 cents as to the reasons you were hacked:
Red Hat 6.2 is really quite dated. Yes, it can be made more secure and
the like - but I get the impression most likely you didn't have every last
piece of the errata for that release installed. With this in mind, there
have been several root level exploits for the default kernel since that
version was released. OpenSSL would be something to look at, with the
problems it has had in the past year. I doubt very seriously you've had
anyone sniffing your traffic and snatching a password or anything. More
likely than not, you've had some known vulnerable piece of software in
place, and a buffer overrun or the like were used.
A step further - you probably weren't even targeted. (No further than the
IP range your hosts were on anyway.) As I have mentioned before, and feel
the need to double-chide, ALL passwords for every single account on your
compromised hosts are now worthless. Re-use of a single password, given
that you can expect your script-kiddies have a copy of all of that
information, will provide then with an attack vector for return. Now to
upset your client base - it's all too common for folks to use the same
username and password on everything. In this case, if your kiddies (by
reading your e-mail or other means) can vector in on other places you may
have used these credentials, those accounts are at risk. You need a
carefully crafted message to deliver to your clients, explainging that
although you now have egg on your face you have access to paper towels,
they need to secure these accounts. It's the Right Thing(tm) to do for
your clients.
Dustin
--
o-----------------------------------o
| Dustin Decker - CNA, MCP |
| dustin at dustindecker.com o-------------------------------------o
| Network Engineer | "Where there is much light there is |
| Preferred Physicians Group | also much shadow." |
o-------------------------------| -- Goethe |
o-------------------------------------o
More information about the Kclug
mailing list