Hi,

Two weeks ago, I took a very quick look at a Windows 2000 server having Remote Desktop wide open to the internet. In addition, many services were listening on known ports and 2 on some odd ports. Among these, a default IIS 5 installed, FTP anonymous access with write privileges, etc. Finally, the box has been forgotten and didn't get patched in the last year...

But I had no authorization to do any scans (other than using nmap), I can't put a sniffer nor can I review firewall or IDS logs. All I can do is to "remote-desktop" to it and have limited privileges. In addition, I am forbidden to use any "powerful" tools...

Meanwhile, I bump into an audio recording of a course about incident handling. The teacher gave a very, very long list of things to look at in order to find out if a system has been compromised.

I can think of probably 20 things I could check (review logs, firewall logs, sniffer, try to detect a rootkit, check users, etc), but I am looking for a checklist, so I won't miss things.

So because of the high probably of this server being already compromised, would any of you know about a check list of things to check to find out if a system was compromised?

My goal if to prove the system has been compromised, so these lazy %$?@#$ server admins would rebuild the box and secure it properly instead of saying "we have no evidence it's been hacked"...

Thanks!

this is hard. id say its a job for an incident response team or forensics. why do you want to do this yourself? if you have that feeling the system is compromised it should be enough to trigger the sys admin to check this. the fact alone that remote desktop was wide open should be enough to get the marbles rolling on the other side...

Agreed with Dengar13.

I think a good means to the end you want would be to document your concerns, and keep record of the times you've brought those to managements attention.  While you may be ignored, now, if you keep enough record, and show due diligence (without overstepping your boundaries,) eventually, someone might understand your point, and take some action to, at a minimum, investigate the possibilities.

Again, just try (obviously not an easy task) to be patient with those who need to be aware of such issues, and do a good job in recordkeeping, so that you can at least have the comfort in knowing you tried to do the IT admins and company some justice, with regards to their security.  Just don't let yourself come across as a 'know-it-all' or appear cocky, as, too often, that is frowned upon, especially if it's not directly within your area of responsibility within your IT department, and often yields less attention to your information than you might otherwise receive.

Good luck.

H1t M0nk3y,

As a lazy %$?@#$ server admin, if a user or someone else with a decent tech background says they think the server has been hacked, I at least ask them why they think that, and look at it if they have valid points. I know that I don't catch all the problems when they come in.

In my opinion, the best option would be to talk to your manager. Explain why you think it's been hacked, and have him / her ask if the server team (or their manager to look into it).

In the past, I have had a few people bring up the "this service is available to the whole world" argument. From their standpoint it looked that way. However from beyond the server (at the firewall) I was limiting the inbound traffic to the box.

H1t M0nk3y,

As the others have stated, email the boss with your concerns in a clear and constructive manner and then leave it alone.

Without permission and full access to the box you'd likely to struggle getting anything useful that couldn't be explained away. The worse case scenario you trip a panic script which shutdown the server or destroys data left by an attacker attempting to hide their tracks.

I had been in a position, a few times now, where well meaning staff have blundered in to a system they should never have been, started poking around and then been discovered. These unfortunate staff are dragged off to HR and given warnings (or worse) for breaking policy or for causing problems that could have affected a company system.

Bring it to your boss' attention and then follow up with another email after chatting to him/her about your concerns. You've done what you can, given your position and responsibilities. Annoying and frustrating, but you'll still have a job the next day and people will be more inclined to listen to your security suggestions.