Severe Security Threat..
Right now, we are facing a security threat in our corporate network. Some machine from the network is trying to access request to the most critical machine on the network. Yes, IDS rules are in place and they are filtering them out. When the hostname of that machine was resolved, we found out that there is no such machine on the network with this hostname and even the IP is not assigned by our DHCP. This is a real RED ALERT kinda situation here for us. I am googling the issue of "IDENT SPOOFING", but really dont getting an idea that how can we get hold of the culprit.
Secondly, people in the network have been trying to install password sniffers and other spyware(NETWORK IS SWITCHED), most of these utilities have ARP poisoning feature causing the network to broadcast times and again. Can someone tell me, if I have the time stamp how can i figure it out that who in the network installed it. lookin g forward for ur suggestions...
1. What operating system(S)
2. What Firewall
3. Where is the nearest gunshop :D
We had a similar situation. One user had Kazaa and downloaded a 'spy bot' disguised as an MP3 file.
1. An IDS won't filter out a darned thing so unless you mixed up terms don't be too confident that you are protected.
2. Go to your critical server and in it's network properties tell it to accept _no_ traffic from the offending IP address.
3. Go to the DHCP server(s) and list out all the address leases with the associated MAC address.
4. If you have any routers on the network ping them and sniff the replies to determine their MAC addresses.
5. Sniff some packets from the offending machine and determine what the MAC address is.
6. Compare the MAC address of the offending machine to those of the the routers.
7. If the address matches that of a router the machine is on the far side of the router. Repeat sniffing process on far side of router.
8. When you have determined the collision domain that contains the machine go to every known machine and compare the MAC address. If you find the MAC address on any machine you have the culprit - fire them and reformat the box.
9. If you can't find the machine, (lets not forget the printers), then someone has added a device to your network. If the traffic is regular begin with the switches in the collision domain you tracked the machine down to and beging pulling cables out. When the traffic stops the device is down that cable.
10. Physically trace the cable along its entire length, (people will hide things in ceilings, under floors etc), until you locate the machine. Disconnect it. If you can determine who placed it there - fire them.
11. In future, inventory you MAC addresses when you deploy a machine then you will save yourself the first 8 steps in the process above.
It sounds to me that you have a personnel problem..... Do you have an AUP?
nihil...we are using Microsoft Windows 2000 Pro and Microsoft Windows NT on server machines and Microsoft Windows XP on client machines. Norton AV (Corporate Edition) is up and running with all latest updates. Group policies are engineered in a sophisticated manner. No .exe file is permitted to be downloaded from outerworld without permission (GFI plugin on ISA server), even a .exe file within a zip is scanned as well and dropped out. Black ICE is an IDS+Firewall in our network. I hope that would satisfy your query.
Tiger Shark thank you for such an ellaborative reply. Its weekend here, I ll keep all your suggestions to my mind and would try it on Monday. Thank you for such help...I will try all this and would post my experience and results here. Doing so,hopefully would help some other people too.
This son of a b**** would only end up being locked down in prison and hopefully, I 'd learn something more out of all this :) ... Though can anyone recomend what should I google related to this issue for getting a better understanding of all this and how actually the culprit is doing all this..
THANK YOU AO
hmmmm...I guess this thread got failed to attract any posts...help anyone...any suggestions...recomendation...would be really appreciated...
You need to sniff for the offenders MAC address like TigerShark said. (Are you familiar with that process?) This is actually only a half an hour job at most. A product like Ethereal would work nicely for this. Once you find the offender it's all about unplugging the box.
The answer has already been stated that's why not too many people have responded. How many hosts on the network? Are you on a switched network?
If it's a switched network then you should be able to track the culprit down to the port in a matter of minutes even if it's your first time.
ommy: I don't think you are trying here...... If you can ping the "offender" this is easy as pie..... It's harder if it refuses to reply but c'mon man..... I laid it all out for you and your first response was "its weekend" and the second was "I guess this thread got failed to attract any posts".
Trust me.... You can't afford to have me come and do this for you but thats what you seem to want. Raise yourself off your rear and do what you were advised to do. If you don't know how to do that then ask more quesytions to clarify the situation..... otherwise.... NIKE
Just do it......