Results 1 to 8 of 8

Thread: Severe Security Threat..

  1. #1
    Senior Member
    Join Date
    Jun 2003
    Posts
    142

    Severe Security Threat..

    Hello everyone,
    Right now, we are facing a security threat in our corporate network. Some machine from the network is trying to access request to the most critical machine on the network. Yes, IDS rules are in place and they are filtering them out. When the hostname of that machine was resolved, we found out that there is no such machine on the network with this hostname and even the IP is not assigned by our DHCP. This is a real RED ALERT kinda situation here for us. I am googling the issue of "IDENT SPOOFING", but really dont getting an idea that how can we get hold of the culprit.
    Secondly, people in the network have been trying to install password sniffers and other spyware(NETWORK IS SWITCHED), most of these utilities have ARP poisoning feature causing the network to broadcast times and again. Can someone tell me, if I have the time stamp how can i figure it out that who in the network installed it. lookin g forward for ur suggestions...

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    1. What operating system(S)
    2. What Firewall
    3. Where is the nearest gunshop

    Good Luck

  3. #3
    Senior Member
    Join Date
    Aug 2001
    Posts
    267
    We had a similar situation. One user had Kazaa and downloaded a 'spy bot' disguised as an MP3 file.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    ommy:

    1. An IDS won't filter out a darned thing so unless you mixed up terms don't be too confident that you are protected.

    2. Go to your critical server and in it's network properties tell it to accept _no_ traffic from the offending IP address.

    3. Go to the DHCP server(s) and list out all the address leases with the associated MAC address.

    4. If you have any routers on the network ping them and sniff the replies to determine their MAC addresses.

    5. Sniff some packets from the offending machine and determine what the MAC address is.

    6. Compare the MAC address of the offending machine to those of the the routers.

    7. If the address matches that of a router the machine is on the far side of the router. Repeat sniffing process on far side of router.

    8. When you have determined the collision domain that contains the machine go to every known machine and compare the MAC address. If you find the MAC address on any machine you have the culprit - fire them and reformat the box.

    9. If you can't find the machine, (lets not forget the printers), then someone has added a device to your network. If the traffic is regular begin with the switches in the collision domain you tracked the machine down to and beging pulling cables out. When the traffic stops the device is down that cable.

    10. Physically trace the cable along its entire length, (people will hide things in ceilings, under floors etc), until you locate the machine. Disconnect it. If you can determine who placed it there - fire them.

    11. In future, inventory you MAC addresses when you deploy a machine then you will save yourself the first 8 steps in the process above.

    It sounds to me that you have a personnel problem..... Do you have an AUP?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Jun 2003
    Posts
    142
    nihil...we are using Microsoft Windows 2000 Pro and Microsoft Windows NT on server machines and Microsoft Windows XP on client machines. Norton AV (Corporate Edition) is up and running with all latest updates. Group policies are engineered in a sophisticated manner. No .exe file is permitted to be downloaded from outerworld without permission (GFI plugin on ISA server), even a .exe file within a zip is scanned as well and dropped out. Black ICE is an IDS+Firewall in our network. I hope that would satisfy your query.

    Tiger Shark thank you for such an ellaborative reply. Its weekend here, I ll keep all your suggestions to my mind and would try it on Monday. Thank you for such help...I will try all this and would post my experience and results here. Doing so,hopefully would help some other people too.


    This son of a b**** would only end up being locked down in prison and hopefully, I 'd learn something more out of all this ... Though can anyone recomend what should I google related to this issue for getting a better understanding of all this and how actually the culprit is doing all this..
    once again
    THANK YOU AO

  6. #6
    Senior Member
    Join Date
    Jun 2003
    Posts
    142
    hmmmm...I guess this thread got failed to attract any posts...help anyone...any suggestions...recomendation...would be really appreciated...

  7. #7
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    You need to sniff for the offenders MAC address like TigerShark said. (Are you familiar with that process?) This is actually only a half an hour job at most. A product like Ethereal would work nicely for this. Once you find the offender it's all about unplugging the box.

    The answer has already been stated that's why not too many people have responded. How many hosts on the network? Are you on a switched network?
    If it's a switched network then you should be able to track the culprit down to the port in a matter of minutes even if it's your first time.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    ommy: I don't think you are trying here...... If you can ping the "offender" this is easy as pie..... It's harder if it refuses to reply but c'mon man..... I laid it all out for you and your first response was "its weekend" and the second was "I guess this thread got failed to attract any posts".

    Trust me.... You can't afford to have me come and do this for you but thats what you seem to want. Raise yourself off your rear and do what you were advised to do. If you don't know how to do that then ask more quesytions to clarify the situation..... otherwise.... NIKE

    Just do it......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •