Hacked systems and the law

[Bradley Miller]

Thanks for the info.  Luckily I actually have very few "hosting only" 
clients that would have had a username/password compromised.  The other 98% 
would be sites that I maintain . . . so although I need to change the PW it 
won't be a huge deal . . . and they were getting all new ones shortly with 
the new server anyway.  ;-)

-- Bradley Miller

At 01:31 PM 4/22/2003 -0500, you wrote:

>On Tue, 22 Apr 2003, Bradley Miller wrote:
>
> > One thing that I'm currently looking at is Snort and ACID for my next
> > system.  I found some very good installation articles on both products,
> > with Webmin.  I might need some adjusting for the Debian install, but 
> those
> > look like solid products to become a little offensive with my secuirty.
>
>Given that your new box(s) will be hosted at NetStandard, you might
>already have someone watching your traffic for you.  I'd ask them about
>it, or find out if it's a value-add service you have to pay for.  (I know
>they have snort working extensively on their network.)
>
>I don't think I would suggest running snort _on_ your production boxes.
>It will work, but it's really not what it was designed for.  In addition,
>spend some time getting familiar with the "current" signature base, as
>well as learning how to write custom signatures of your own.  This is
>analogous to writing your own anti-virus signatures so some extent - but
>more complex as you're working with the network layer.
>
>And - just in case you don't already know, versions of snort < 2.0 have a
>root vulnerability exploit making the rounds.  Make sure it's patched.
>
>Just to throw my $0.02 cents as to the reasons you were hacked:
>Red Hat 6.2 is really quite dated.  Yes, it can be made more secure and
>the like - but I get the impression most likely you didn't have every last
>piece of the errata for that release installed.  With this in mind, there
>have been several root level exploits for the default kernel since that
>version was released.  OpenSSL would be something to look at, with the
>problems it has had in the past year.  I doubt very seriously you've had
>anyone sniffing your traffic and snatching a password or anything.  More
>likely than not, you've had some known vulnerable piece of software in
>place, and a buffer overrun or the like were used.
>
>A step further - you probably weren't even targeted.  (No further than the
>IP range your hosts were on anyway.)  As I have mentioned before, and feel
>the need to double-chide, ALL passwords for every single account on your
>compromised hosts are now worthless.  Re-use of a single password, given
>that you can expect your script-kiddies have a copy of all of that
>information, will provide then with an attack vector for return.  Now to
>upset your client base - it's all too common for folks to use the same
>username and password on everything.  In this case, if your kiddies (by
>reading your e-mail or other means) can vector in on other places you may
>have used these credentials, those accounts are at risk.  You need a
>carefully crafted message to deliver to your clients, explainging that
>although you now have egg on your face you have access to paper towels,
>they need to secure these accounts.  It's the Right Thing(tm) to do for
>your clients.
>
>Dustin
>
>--
>o-----------------------------------o
>| Dustin Decker - CNA, MCP          |
>| dustin at dustindecker.com       o-------------------------------------o
>| Network Engineer              | "Where there is much light there is |
>| Preferred Physicians Group    |  also much shadow."                 |
>o-------------------------------|  -- Goethe                          |
>                                 o-------------------------------------o
>
>
>