|
-
August 21st, 2002, 07:11 AM
#1
Member
 a anti hacker´s tale
Hi
I do not know, if this is the right board to submit this tread.
I would like to inform you what happens if you´re not careful enough to read your logfiles .
let me be more specific :
I run my own office ( it contains 4 NT 4.0 server and 17 workstations ( W2K and mostly NT4.0 WKS)
3 of the 4 Servers running around the clock. The 4th server is a Ras Dial-in Server, wich can only be activated via telephone switch ( the server gets power and comes up ).
1 domaincontroller and 2 bdc´s.
I am using a broadband internet connection. on every wks, the tiny firewall runs as aapplication firewall. since those clients do not enter the internet, I thought, it would be enough.
Whenever I am in my office, there are two workstations with the most run up time, one copystation and a special prepared nt 4.0 workstation with tiny firewall and conseal , IE6 browser whith high security level ( java disabled and so on. ) and the cleaner as trojanscanner with activated tcative tool ( process viewer ). with this machine , I use the internet.
now let me tell you why I am at the moment under war conditions:
On Saturday I checked the conseal firewall log and found a outgoing connection from local port 1029 to port 80 ( internet) to a unknown Ipaddress. I checked with ripe.net whois the owner of the ip range. well it points to Czechoslovak. I am located in Germany ( as you can see in my profil). a little research on trojan websites discoverd the incommand trojan , which uses this port.
I rebooted the system and there it was again this outbound connection ( trough port 80 !! a firewall penetration ).
well, from version 1.0 to version 1.06beta2 Incommand no signs of the special serverfiles in my system or registry. So I thought go ahead us "the cleaner" and scan the system for trojaner ).
BUT : the cleaner could not come up, because the trojan database file could not be loaded.
I deinstalled the cleaner and tried to reinstall it ( registry was clean and no files left on the hdd). again, no trojan database could be loeaded. Then I surfed to Moosoft to get a clean new copy of it ( I have a licence for ithe cleaner) , but the Ie6 has been manipulated, so I cannot load anymore files from the internet.
this machine has been severe manipulated, so I took it from the network, and I am going to do a clean install , because at the moment I cannot find the tool or registry entry which connects to the internet. I do not trust this system anymore.
anyway, this morning I installed the visnetic firewall , the sequel to the conseal firewall on the copymachine. after reboot, there was a outgoing connection as well but this time local port 1039 to port 80 internet again to this Czechoslovak ipaddress. no sign so far what the reason for this connection is. the cleaner find nothing. with
visnetic firewall , I blocked this conneciton. on the copymachine, there was the md5 signature of the ie5.5 hampered. so I assume, the intruder got this machine as well under his control.
conclusion ?
I informed the Czechoslovak IP Range holder (ISP ) about this intrusion ( but I think they dont care.. well its different to germany, if you report someone here in Germany and you have the logfiles, this person faces severe punishment ( up to three to five years jail according to the german telecomunication law )
well first I am going to install my hardware firewall gatelock 200x from trendmicro. the combination of hardware and software firewall is a good protection
second I will make a clean install of those two machines
third, I change the Ipadress range of all machines ( have to because the gatelock needs a special ip range )
fourth, On all Server I raise the security and install a aditional firewall ( conseal or visnetic , its a licence cost question :-) )
next, I change all Passwords
sixt, I dump the cleaner it does not work at all for me.
I am going to post the ip address from Czechoslovak here, maybe someone had the same experience.
I you have advices or tools which you are recommend, believe me, every tip and hint or assistance is warmly welcomed. If you have more info about this ports do not hesitate and post it to me.
I hope I can close this hole until saturday ( its a dam hard work to bring up 21 machines to a high level of security especially when I change the IP range , all firewall rules have to be changed to the new range, checked and tested against each other ).
What ever you do, to increase your security, it looks like its not enough.
Thank you Czechoslovak intruder, you really made my day .
greetings m.
-
August 21st, 2002, 09:13 AM
#2
Junior Member
Hi,
Fport might have help you to find the application. Sorry that it comes too late :
http://www.foundstone.com/knowledge/proddesc/fport.html
(just create a .bat file with fport and then pause to see the result)
Jeed
-
August 21st, 2002, 01:06 PM
#3
Member
thank you jeed, its not too late. I still have the second (copymachine) to deal with.
The Internetpc is down for reinstall :-)
i am trying this tonight.
greetings M.
-
August 21st, 2002, 01:32 PM
#4
JP PLEASE edit the metatags!
I hear you.....loud and clear. The problem is .......there is a way around fport. I don't want to post what I have found because.......well with the keywords and metatags on this site it will draw every script kiddie wannbe on the internet.I don't want to add to thier devilish tricks by adding the little I know. There was a time when doing a "google" search on "hacking" would bring this site up on the first page. I have bitched about this alot. We need to edit those tags and use professional terms as keywords and metatag descriptions. Perhaps poeple with true security knowledge would feel free to share it without being worried that some little script kiddie is going to abuse the knowledge. I remember I shared a debug script with someone who could n't get rid of a virus . He even redid a fdisk/format/reinstall. The virus turned out to call bios int13h to write itself outside an area addressable by the dos write interrupt. I gave him a debug script that wipes out all partition information. Then some little script kiddie comes along and makes it a VIRUS PAYLOAD.....sheesh. Jp PLEASE edit the metatags before the whole site goes down the toilet.
-
August 22nd, 2002, 08:44 AM
#5
Member
Summary:
remove 2 Pc´s from the network. Currently under reinstall process
installed the gatelock 200x ( Thanks to Trendmicro I have now a full functionally hardware firewall :-)
updated all Servers and 50% of the clients to an new IP range
deinstalled TIny firewall ( from now on its useless for me)
installed Visnetic Firewall
remove The Cleaner....
any better tool out there ?
greetings M.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote