Hacked network...

[Tiger Shark]

No, viruses can't spoof the IP's in the headers from the point where the valid mailservers in the trail begin. By that I mean that the virus could add bogus headers before it sends the message but each mailserver in the trail will add the additional headers on their own so you should see:-

Your mailserver stating it received it from IP X
Mailserver X stating it received it from IP Y (assuming the ISP doesn't block the originating IP which some do).

That would, generally, be it unless you or the sending domain has forwarding servers built into their systems. The virus could add a dummy header after mailserver X, but it doesn't really do much good and isn't something that is worth coding since it will be seen through quite quickly.

[Spyrus]

Originally posted here by brokencrow
...the latest virus-laden emails coming in, even though they show one of our email addresses, are actually originating from Cinergy up in Evansville, IN, now. \

Thats not too far from me.... I do take donations, I can drive down there and melt down their server. just a nominal fee. besides I'm bored anyway, I can be the vigalante of spam

[XTC46]

online virus scans are great, but you NEED an anti virus installed on each computer. Id still strongley suggest you take evey one of those machines off line and clean them well, or the problem WILL happen again.

and I wouldnt completey ignore the idea of gettin that linksys, lol.

[MrLinus]

Hey there,

I am showing this to my class this evening (right now) and we have some suggestions/questions to add on:

- a question of documentation: did the "networking firm" provide you with any as to how they configured items and setup the network/systems
- do you have a listing of firewall rules and have you ensured that the rules are adequate
- are your employees trained on what not to press
- have you determined the source of the "hack" (inside job? employee?)
- have you checked event viewer for any unusual activities
- what did you mean by migrating the "old server to new server"
- any idea why only the finance guy was targetted for the "email" (name recognition, senior officer, internet site, etc.)

We do believe, however, if the installs by "networking firm" didn't adequately protect your network, you might want to consider getting a refund on some of the support (or lack thereof). Anyways, food for thought.

[idmismatch]

Originally posted here by MsMittens
You'd replace a hardware firewall like Pix with a software firewall!? Why?

This is purely personal preference. I guess, like gore I'm a little partisan at times. The reason I became turned on to smoothwall in the first place was cost. As they already have pix there's no reason to migrate, unless the maintenance is over costly.

As far as security goes... I have no reason to recommend smoothwall over pix. I'm not going to start yabbering on about peer review of code and all that 'cos you've heard it all before and I dare say the Cisco ppl aren't novices at security.

I will say that the only hardware fireall I used was a pain in the arse to configure, whereas smoothwall's a cinch. Again, that's a personal thing.

[brokencrow]

...looks like OUR network is no longer the source of any of the rogue emails (my fingers are crossed as I type this). The employees get confused because they see an email address that looks like one of ours, but a quick check of the headers yields a different IP address at this point. I've got our users aware of the problem with spoofed addresses that are apparently generated by the Bagle virus, and they are well aware of the dangers of email attachments. Tomorrow I'll go through all the computers, beginning with an online scan, then I'll begin straightening out any AV configuration problems we have.

MsMittens, no, we have little documentation from the networking company as to how they configure things. Part of that problem is that the there's little tech saavy among the employees, so they fail to ask for it. We do have a list of passwords and email settings, but beyond that, there's not much. I'm only there parttime, doing desktop support and training, some networking. I did have a chance to look at eventviewer, but not for long. Not sure of the firewall rules, haven't looked at that. Don't know where the hack came from or what it's exact nature was (the networking outfit handled that), but I do know that the Bagle virus does a splendid job of spoofing, even pulling user names and putting them in as domains. Quite clever. This company recently replaced their old Compaq ML330 with a brand new HP server, but migrated W2K SBS Server over to the new hardware. And it wasn't only the finance guy getting 'targeted' emails. I was even receiving them to my Yahoo acc't. This virus must pull stuff from the address book. At this point, I think I'm dealing with a virus problem only, but I will keep an eye on it.

I've talked to the owners before about security in the past, having used an online port scan to check out our vulnerabilities (the ISA firewall on the old server looked like Swiss cheese!). I'm very high on Smoothwall, using it on my own network, but they're in the Pix now, and that's ok. They're having me go in and cannablize some of the old hardware to upgrade the remaining Win98 machines, and as I do that, I'll go thru the network more. I've been able to add some improvements such as rewiring some of the jacks and replacing nics over the last year. I've been a bit of a jack-of-all-trades for them, and been especially helpful with some of the proprietary software that has to be installed and updated.

p.s.-- I'll probably install SME Server on the old Compaq and use it for backups in another building on the site. That'll be fun.

[brokencrow]

...just got a call the server took a dump. Apparently they got a blue screen and the server dumped the memory. They got a call into the networking company...I'm outta here. You can have that Winders junk.

[Tiger Shark]

ROFLMAO...

It had nothing whatsoever to do with rogue code trotting merrily around the network did it????

Hope this 'network outfit' are also a 'server outfit'......

[brokencrow]

...I typically end up as the scapegoat because I toggled some email settings on a workstation, or I used the server to view a webpage. No one there will t-o-u-c-h the server, such is the attitude. People get strange about tech stuff...real strange. Reminds me of a car mechanic I knew who commented on his job: he'd put on a new muffler, and the client would come back the next day complaining the mechanic had screwed up his brakes.

[Tiger Shark]

LOL... You noticed that phenomenon too....

My absolute favorite is when you go and help someone with a problem on a workstation on a 50 node network and then, for the next six weeks you brought down their T1, caused drive failure of their data drives on the only server, made all the backup tapes go bad and the office cat had kittens and they look like you......

It's life... I have a good friend that wants me to come and redo his whole company's network, (about 35 workstations), I told him would come and look and see what he needs, then I'll do it for him and document it. I will then train him on how to deal with the day to day stuff bit I will _not_ be making this a second career... There will be no calling me every day to fix this or change that and that if it begins I will simply divorce myself from the whole thing.... He knows me and says fine.... So I pushed my luck and told him that if he wants me to do it then what I say in my initial recommendations goes, no shortcuts.... He says fine, price is no object.... So I reminded him I'm not cheap and he says "yes, I know $150/hour... No problem"... So I went back to the start of the conversation.... "OK, but I'm not looking for a second job.... You really understand that?".... I guess I might have myself a well paying side job for a few weeks and he's paying me for the initial recommendation too.....

If you are in a position to make them pay _and_ to lay down the law..... Don't hesitate to, otherwise you end up as someone's "dawg"....