March 26, 2010 at 12:27 pm #4858caissydParticipant
Two weeks ago, I took a very quick look at a Windows 2000 server having Remote Desktop wide open to the internet. In addition, many services were listening on known ports and 2 on some odd ports. Among these, a default IIS 5 installed, FTP anonymous access with write privileges, etc. Finally, the box has been forgotten and didn’t get patched in the last year…
But I had no authorization to do any scans (other than using nmap), I can’t put a sniffer nor can I review firewall or IDS logs. All I can do is to “remote-desktop” to it and have limited privileges. In addition, I am forbidden to use any “powerful” tools…
Meanwhile, I bump into an audio recording of a course about incident handling. The teacher gave a very, very long list of things to look at in order to find out if a system has been compromised.
I can think of probably 20 things I could check (review logs, firewall logs, sniffer, try to detect a rootkit, check users, etc), but I am looking for a checklist, so I won’t miss things.
So because of the high probably of this server being already compromised, would any of you know about a check list of things to check to find out if a system was compromised?
My goal if to prove the system has been compromised, so these lazy %$?@#$ server admins would rebuild the box and secure it properly instead of saying “we have no evidence it’s been hacked”…
March 26, 2010 at 12:37 pm #30536hayabusaParticipant
Honestly, I’d say you shouldn’t go looking, if it’s not your job, and if you don’t have express permission. While I think we all agree that admins need to wake up and smell REAL security, in the end, digging around without express permission, even if you’re using access you’ve been afforded, is a good way to get fired. Often times, simply digging around in someone else’s territory is frowned upon, even if you’ve got the best intentions, if nobody has given you the proper right to do so.
I’d be careful where you tread, H1tM0nk3y… (Again, not saying I don’t feel your pain, just that you could be asking for more trouble than the benefit could outweigh, that might come from your digging around…)
March 26, 2010 at 12:44 pm #30537j0rDyParticipant
this is hard. id say its a job for an incident response team or forensics. why do you want to do this yourself? if you have that feeling the system is compromised it should be enough to trigger the sys admin to check this. the fact alone that remote desktop was wide open should be enough to get the marbles rolling on the other side…
March 26, 2010 at 1:03 pm #30538Dengar13Participant
This is a very tough place to be in. I recommend also to document your concerns and keep all documentation where it is safe for future reference. If you warned them and they choose to ignore them you can go back if something happens to CYA. Not so much as an “I Told You So”, but to make sure you don’t take the fall. If you have outlined your concerns that you listed and document them then you can always reference back to them in case something does happen.
March 26, 2010 at 1:41 pm #30539hayabusaParticipant
Agreed with Dengar13.
I think a good means to the end you want would be to document your concerns, and keep record of the times you’ve brought those to managements attention. While you may be ignored, now, if you keep enough record, and show due diligence (without overstepping your boundaries,) eventually, someone might understand your point, and take some action to, at a minimum, investigate the possibilities.
Again, just try (obviously not an easy task) to be patient with those who need to be aware of such issues, and do a good job in recordkeeping, so that you can at least have the comfort in knowing you tried to do the IT admins and company some justice, with regards to their security. Just don’t let yourself come across as a ‘know-it-all’ or appear cocky, as, too often, that is frowned upon, especially if it’s not directly within your area of responsibility within your IT department, and often yields less attention to your information than you might otherwise receive.
March 26, 2010 at 2:03 pm #30540ziggy_567Participant
These are very useful cheatsheets from our friends at SANS for intrusion detection on both Windows and Linux. That is, if it were your responsibility…
March 26, 2010 at 4:35 pm #30541rattisParticipant
As a lazy %$?@#$ server admin, if a user or someone else with a decent tech background says they think the server has been hacked, I at least ask them why they think that, and look at it if they have valid points. I know that I don’t catch all the problems when they come in.
In my opinion, the best option would be to talk to your manager. Explain why you think it’s been hacked, and have him / her ask if the server team (or their manager to look into it).
In the past, I have had a few people bring up the “this service is available to the whole world” argument. From their standpoint it looked that way. However from beyond the server (at the firewall) I was limiting the inbound traffic to the box.
March 27, 2010 at 5:50 pm #30542TribanParticipant
Depending on how green the server admin staff are, they most likely will not catch it and there is a chance that they may think you are snooping around where you shouldn’t be. First things first, document everything and CYA! If you had gone to them and they brushed you off, then go to their manager with some hints to the proof you think it’s been compromised. I’ve been a sys admin for about 10 years I’ve learned that I won’t catch everything, specially if a system is deliberately targeted. Chances are if its a W2K box, it is like raising a beacon to an attacker. If it hasn’t been patched, even better! Frankly that box should not even be attached to the network to begin with. So there are a few other issues that the server admins need to fix. But again, you don’t want to seem cocky or you can end up getting into trouble.
If you don’t have any sort of incident response policy, then maybe see if they would give you permission to find more clues. If they still think you are blowing smoke, then maybe you want to get out of that place. Your growing talents may be of use elsewhere. Good luck!
March 28, 2010 at 9:23 am #30543What90Participant
As the others have stated, email the boss with your concerns in a clear and constructive manner and then leave it alone.
Without permission and full access to the box you’d likely to struggle getting anything useful that couldn’t be explained away. The worse case scenario you trip a panic script which shutdown the server or destroys data left by an attacker attempting to hide their tracks.
I had been in a position, a few times now, where well meaning staff have blundered in to a system they should never have been, started poking around and then been discovered. These unfortunate staff are dragged off to HR and given warnings (or worse) for breaking policy or for causing problems that could have affected a company system.
Bring it to your boss’ attention and then follow up with another email after chatting to him/her about your concerns. You’ve done what you can, given your position and responsibilities. Annoying and frustrating, but you’ll still have a job the next day and people will be more inclined to listen to your security suggestions.
March 29, 2010 at 3:34 pm #30544caissydParticipant
Thanks everyone for the feedback and sorry for replying so late, I had a rather touch weekend…
I will definitively keep my fingers out of this box. I have already told my boss in person and in an email. He forwarded is concerned to the sysadmin boss and we are getting a new server next week.
I am still a rookie security analyst, so your advice were very welcomed!
- You must be logged in to reply to this topic.