Hacked systems and the law
Bradley Miller
bradmiller at dslonramp.com
Tue Apr 22 18:47:24 CDT 2003
Thanks for the info. Luckily I actually have very few "hosting only"
clients that would have had a username/password compromised. The other 98%
would be sites that I maintain . . . so although I need to change the PW it
won't be a huge deal . . . and they were getting all new ones shortly with
the new server anyway. ;-)
-- Bradley Miller
At 01:31 PM 4/22/2003 -0500, you wrote:
>On Tue, 22 Apr 2003, Bradley Miller wrote:
>
> > One thing that I'm currently looking at is Snort and ACID for my next
> > system. I found some very good installation articles on both products,
> > with Webmin. I might need some adjusting for the Debian install, but
> those
> > look like solid products to become a little offensive with my secuirty.
>
>Given that your new box(s) will be hosted at NetStandard, you might
>already have someone watching your traffic for you. I'd ask them about
>it, or find out if it's a value-add service you have to pay for. (I know
>they have snort working extensively on their network.)
>
>I don't think I would suggest running snort _on_ your production boxes.
>It will work, but it's really not what it was designed for. In addition,
>spend some time getting familiar with the "current" signature base, as
>well as learning how to write custom signatures of your own. This is
>analogous to writing your own anti-virus signatures so some extent - but
>more complex as you're working with the network layer.
>
>And - just in case you don't already know, versions of snort < 2.0 have a
>root vulnerability exploit making the rounds. Make sure it's patched.
>
>Just to throw my $0.02 cents as to the reasons you were hacked:
>Red Hat 6.2 is really quite dated. Yes, it can be made more secure and
>the like - but I get the impression most likely you didn't have every last
>piece of the errata for that release installed. With this in mind, there
>have been several root level exploits for the default kernel since that
>version was released. OpenSSL would be something to look at, with the
>problems it has had in the past year. I doubt very seriously you've had
>anyone sniffing your traffic and snatching a password or anything. More
>likely than not, you've had some known vulnerable piece of software in
>place, and a buffer overrun or the like were used.
>
>A step further - you probably weren't even targeted. (No further than the
>IP range your hosts were on anyway.) As I have mentioned before, and feel
>the need to double-chide, ALL passwords for every single account on your
>compromised hosts are now worthless. Re-use of a single password, given
>that you can expect your script-kiddies have a copy of all of that
>information, will provide then with an attack vector for return. Now to
>upset your client base - it's all too common for folks to use the same
>username and password on everything. In this case, if your kiddies (by
>reading your e-mail or other means) can vector in on other places you may
>have used these credentials, those accounts are at risk. You need a
>carefully crafted message to deliver to your clients, explainging that
>although you now have egg on your face you have access to paper towels,
>they need to secure these accounts. It's the Right Thing(tm) to do for
>your clients.
>
>Dustin
>
>--
>o-----------------------------------o
>| Dustin Decker - CNA, MCP |
>| dustin at dustindecker.com o-------------------------------------o
>| Network Engineer | "Where there is much light there is |
>| Preferred Physicians Group | also much shadow." |
>o-------------------------------| -- Goethe |
> o-------------------------------------o
>
>
>
More information about the Kclug
mailing list