How "Exactly" a known vulnerability is compromised?

[amir4u]

The network in my company has been breached several times. I just wana know about the most popular ways of entering into the servers of a network and the most popular ways of securing the servers.

How Exactly is a known vulnarability is compromised? I mean which softywares tell us if the given server has this known vulnarability and how a hacker actually enters the servers through it?

Thanx in advance.

[mupp3t]

Ok firstly, the easiest way to secure your computer, that im assuming is windows, is to patch it till the cows come home. Flaws in software and OS's are usually fixed pretty quickly and a patch for it can be found on their website.

try www.windows.com for some patches for your server.

You should also have some kind of IDS (intrusion detection system) in place that monitors whats happening on the computer, and hopefully will alert if anything funny is going on. You should have a decent firewall up, all the mainstream ones are fine. I use blackice personally.

Firstly, to find a vulnerability in a server, you have to know it and what its running. Port scans will reveil what services its running e.g. webserver, sql, smtp, ssh. Telnetting into these services or trying to loggon, depending on the service, usually gives away the server type e.g. webserver apache and the version number. Im sure you can config servers not to give away too much information, but generally its pretty inevitable.

Once you are armed with this information you can rack your brains for an exploit that you heard of, or google and hope some vulnerability turns up for that particular service and version. Depending on the exploit, it can be used in different ways. There are many different exploits too, with buffer overflows being the most common. If they are lucky, they will find an exploit for something that gives a shell with root access, if your not familiar with this terms its basically a command prompt at that computer with full access.
An example is the latest buffer overflow exploit for iis 5.

How a hacker enters in can vary, generally something like above. Once in they will trojan it, or rootkit it if they are a bit more advanced. Either way they will leave a backdoor somewhere in the system allowing them to easily come back in.

Basically....patch your system for everything, move the services it runs to a general user account so that if it is comprimised, it doesnt have root. Uhhh get a IDS and firewall and maybe log some packets aswell, since that can be used as evidence if you catch the l33t hax0r.

</rant>

[Tiger Shark]

Amir: To be absolutely honest if your network has been breached multiple times and you are asking the question you are it is time your boss paid for a professional security company to come in and help you out.

Network security is not something that anyone can explain to you in a forum and every network is different with different architecture, public services, user and customer needs etc. etc. etc. It takes someone with some experience and knowledge to look at the situation in your organization and determine how best to secure your company's network. I can assure you right no that the solutions, (yes plural), I use here would not be appropriate in your situation.

Go ahead and spend the money.... It'll prove to be well spent in the long run and if you follow the security guys around and ask questions you will learn more than we can teach you here and it will be in the context of your own network.

[amazingzarkon]

Amen to what Tiger Shark said! Get some help. Nothing wrong with that.

Security isn't something that you can just accomplish in a day or two. I would recommend something like a three-phase plan:

1) Identify, document, and stop any current penetration. Remove the avenues that were allowing the exploit. I would strongly recommend that you consider reformatting and rebuilding all systems that have been penetrated with software from known safe sources. This is becuase if you have not been taking preventative action, it can be very difficult if not impossible to guarantee with 100% certainty that you are not missing a backdoor or rootkit tool that was installed by the intruder. This is expensive, but if you need to be certain that you're safe this is probably what you're looking at. Before the systems go back online you will need to know that they have been properly patched, configured, and protected.

2) Do some immediate remediation work to identify and remove potential holes in the rest of your network and systems deployment. This is kind of a continuation of step 1, but applies to other systems and devices in addition to the ones that have been compromised.

3) Inventory your systems and data and classify their worth to the organization. Use this information to develop a comprehensive security policy. This will help you moving forward. Security is not a "project" that you can do and move on. It needs to be considered constantly as part of your environment. When you implement a new server or OS or application or switch or storage or whatever. You need to consider formal and informal training and refresher information for the IT staff as well as the general staff.

By the way the "Defense in Depth" approach works marvelously well. Use good access controls, implement firewalls, consider network and host-based IDS. Automated network-wide virus protection. Patch management. Good logging and reporting mechanisms.

Also, I've said it before and I will say it again - you should never overlook the threat that is coming from inside your building. A disgruntled employee or a person with unauthorized physical (or wireless) access to your network is in my opinion 100x more dangerous than a person working a remote exploit on a webserver.

Good Luck!

[prodikal]

What would really help to is the way you're companys network is set up if you want to be told "exactly" how it was breached was a page defaced ? was warez getting hosted from the server ? what happend ? but tiger shark is 100% correct if you're company has been breached so many times the admin should think about getting a gun putting to his head and pulling the trigger. There is no shame in getting a proffesional to do the work, its all well in saying that as well but if some one comes along with even 1 0day you will get breached again but 0days are usually used for high class hacks like .gov .mil etc but they have been know to be used to simply get people's messages out there on any server that the sploit was wrote for so more info on you're companys setup !

[dogus18]

Get a security scanner and scan your self firstly. Then follow the new vulnerabilities daily from www.securityfocus.com and try to use the latest fixed software.Go www.iss.com or www.nstalker.com to get a scanner. Learn about most common hacking techs and apply to your self.Use SATAN type software ýf you are running linux.

[Tiger Shark]

Dogus: I'm sorry but that is the most ridiculous piece of advice I've seen in a long time.

You have no clue of the network topology whatsoever. Are they even running a firewall? All the patches in the world are not going to stop someone from getting on their systems if they are running an unfirewalled network that actually functions, (think file sharing etc.). Amir clearly does not seem to have a grasp of the potential threat and therefore almost certainly will not know what to do when his vulnerability scanner goes wild on him, (not to mention the fact that vulnerability scanners are only useful if correct ACL's etc. are set up to prevent free access to an entire network).

Amir: Pay the money old chap...... You are in an area that you don't seem to have the skill at this point to deal with and you don't really have the time to learn them before the next compromise is likely to occur.

[vescovono]

amir - I too am in complete agreement with Tiger Shark. I would recommend a two prong plan:

1) Follow Tiger Shark's advice - a good place to start would be with your OS vendor, if at all possible. MS, HP, IBM, Sun and pretty much everyone else in the OS business has a form of security services available. Another company to consider is:
TruSecure

2) Education - for whomever in your company will be maintaining the security once the major gaps have been addressed. This too could be brokered from the OS vendor or a network security company.

The costs now are negligible for shoring up defenses and education, compared to the costs of any current and future breaches.

When contacting your OS vendor or another security company, you can ask about the tools to check your network, like ISS, NESSUS, etc.

Let me know if that sucked or not.

[amir4u]

thanx a lot guys, ok, I'm new in network administration. I'm 26 so i'm not an old timer .
Now i learn from your recommendations and suggestions that I should do the following: please do correct me if I'm going astray.

I should learn more and more about securing the network coz may be running it may prove different then securing it. SO I need to learn more on securing it seriously.

I will be consulting some security providers in my area soon.

I will update my windows 2k / NT4.0 servers with all the patches, updates and service packs.

I will try to purchase a good IDS software.

We have a Cisco Firewall. Am in initial stages of learning the firewall stuff.

I will unshare my drive letters with a registry tweak so no one enters them remotely.

I will put permissions of concerned persons on all network shares.

PLease do let me know if i'm missing something crucial coz i guess it surely will be a on going process of learning, implementing and the experincing the results.


I still do wana know as a hacker how I could try to get into my network from outside. Which set of programs would do the magic. Which general ports would i be specifically looking for? how would i know which service is runing on which port? How would I actually "exploit the vulnerability of that service running on certain port? which set of programs would do all that? Sorry for being too inquisitive but i still really gota know all this. As you guys said...once I hack my own network then i'll know how to secure it. please help .

[Tiger Shark]

Originally posted here by amir4u
thanx a lot guys, ok, I'm new in network administration. I'm 26 so i'm not an old timer .
Now i learn from your recommendations and suggestions that I should do the following: please do correct me if I'm going astray.

I should learn more and more about securing the network coz may be running it may prove different then securing it. SO I need to learn more on securing it seriously.

I will be consulting some security providers in my area soon.

Good man.....<s>

I will update my windows 2k / NT4.0 servers with all the patches, updates and service packs.

Good man......

I will try to purchase a good IDS software.

www.demarc.com is very nice and not too expensive.
www.snort.org is free, is the best, IMO, but is a little more complex but there is a wonderful Guide here

We have a Cisco Firewall. Am in initial stages of learning the firewall stuff.

shut down all access from the outside unless you specifically need it for a purpose. It should be that way by default but it won't hurt to go back and look at what is allowed inbound and decide if you really need it.

I will unshare my drive letters with a registry tweak so no one enters them remotely.

Make sure there is no access allowed from the outside to ports 137, 139 and 445 on the firewall and save yourself the trouble for now.

I will put permissions of concerned persons on all network shares.

Good Man.......

PLease do let me know if i'm missing something crucial coz i guess it surely will be a on going process of learning, implementing and the experincing the results.

You need to have the security consultants do a scan to determine if anything remains suspicious on the machines within your network. Let them do it and let them do it soon. Do not try this yourself yet...... There are too many variables for you to necessarily notice the one that gives the game away.

I still do wana know as a hacker how I could try to get into my network from outside. Which set of programs would do the magic. Which general ports would i be specifically looking for? how would i know which service is runing on which port? How would I actually "exploit the vulnerability of that service running on certain port? which set of programs would do all that? Sorry for being too inquisitive but i still really gota know all this. As you guys said...once I hack my own network then i'll know how to secure it. please help .

There are a gazillion ways in..... Some are quite simple, others are incredibly complex. For now concentrate on learning how to secure. As you learn that you will see how the vulnerabilities are exploited.