Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 37

Thread: Ideas on how the hacker is doing it?

  1. #21
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Digerati:

    JP is dead right here. Let's think about this. I don't know how big your network is but whatever.... There are a gazillion ways it may be subverted...... That's a lot of work to do to clean it. Take a stroll down to your accounting department. When you gat there they should be able to tell you the depreciation you caused to the carpet as you walked there and how much per minute the 1 sq. foot of space you are taking up costs for the time you stand there. My point, everything costs money. You cost your company money every time you respond in this forum. It doesn't take long for those costs to rack up and become some serious cash that your CEO doesn't really want to see "bleeding" away from his bottom line.

    The point of that is..... You have a "choke point".... Thats a place where all things _must_ pass. The choke point is him. Neutralize the choke point and the private information stops leaking. The cheapest form of neutralizing him is to pick up the phone and call the FBI, period. You'll spend hours, days or weeks trying to prevent him and you will miss something.... all that money down the drain. For the price of a phonecall and a couple of hours with the feds showing them the evidence and "Bingo", the problem of leaking information is solved... He will go really quiet, really quickly when they turn up on his doorstep.... I've seen this happen.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #22
    Junior Member
    Join Date
    May 2004
    Posts
    7
    This is one of those cases I really joined up to comment on. Having worked with the US Government (Dept. Of Treas.), I can say for an absolute fact that the FBI is the place to go. Get the blue pages of your phone book and get the local office number, phone calls are always taken more seriously, and get routed to the right people, faster. The FBI and secret service investigate such things regularly, however I will say that the first thing they are likely to promote is a lockdown of your entire network for forensic investigation, irrespective of whatever logs you can provide. Assuming this person had at least as much of a clue as I do (and hopefully anyone in such a capacity would have significantly more) he would have inserted as much code into your systems as he felt he could get away with, and apparently had ample time to do so. I would bet the INDIVIDUAL boxes have been infected with trojan-like code besides the network itself, as many have already said.

    I have to strongly encourage the FBI route, thats all my ranting is really for.
    Outside of dogs, books are mans best friend; inside a dog it\'s too dark to read.
    -Groucho Marx

  3. #23
    Member
    Join Date
    Jan 2004
    Posts
    33
    The verdict is in......The powers that be do not want the press or the help of the government. So the decision handed down to me has been to prevent and preserve.
    I am going to start with the suggestions made by JP regarding the router, I am going to have all admin passwords and hardware passwords changed for any admin accounts, I am then going to move to the Exchange Server and work to validate the accounts. I will also setup a sniffer to monitor open ports and log traffic on unusual ports.

    Ok folks this is what I was afraid would happen.....Any other suggestions on the next steps to take. I am going to work from server to server once the perimeter is checked.

  4. #24
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    First thing you need is a network audit..... You need to know what you are dealing with. This will avoid you missing a direct dial in access via modem or a WAP that he might be using. Also, don't forget that he may have _no_ access from the outside. He may have a person on the inside sending stuff out to him. At this point you can trust nothing and nobody... period.

    Not forgetting that the issue may not be coming over wire I would run a quick scan of the entire netblock against every port in the range, (1-65535), nothing fancy, just a simple connect scan to see if anything is out there that probably shouldn't be. If there is something open, block it and put a packet sniffer outside the firewall to log every packet to that IP/port combination. That should cover you for the external-internal threat and will be relatively quick to complete.

    After that you are really faced with a forensic examination of every box within the trusted network. You can't rely on finding a single box and saying "there... done", he may have subverted many so every box needs checking. Since this is a "call home" scenario the app may be scheduled. If it isn't then it is most likely running as a service or as some other startup item. Everything needs to be validated that is running automatically on every machine. If he has managed to subvert legitimate services/items then you may never find him and you will need to start everything from scratch..... Look at creating a RIS server if you have to go that route.

    All the while remember to look for modems and WAP's, (especially rougue ones), make sure they are locked down.

    Good luck....

    Oh, and remember, there are certain places that you are required by law to report the violation.... Make sure your company consults the legal beagles......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #25
    Member
    Join Date
    Jan 2004
    Posts
    33
    Exactly the type of information I am looking for Tiger Shark thanks for your input!!! I will continue to post my findings

  6. #26
    Junior Member
    Join Date
    Mar 2003
    Posts
    12
    You are receiving advise to get the FBI in on this, why not give them a call and a chance at it, then if they are not interested, do a complete clean-up....Do it.

  7. #27
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Boto: Because his CEO and superiors have told him he can't...... Keeping his job is probably a motivating factor in his decision to follow their directive......

    Uno: I should have mentioned it before but I was in a hurry. Google "Aida32", download the zipped package and place it in a generally available folder on a server in the trusted zone. Follow the intructions, (they are pretty basic), that come with it and create a login script to run it automatically at login and write it's report to the other shared folder you create in the instructions. Have everyone log out and log in again, (or if it a big network just wait till tomorrow morning). Install the non-zipped version on your workstation and drag and drop the entire list of reports onto the interface it provides. It will audit your network in amazingly fine detail with very little work. You'll see modems, installed programs, startup programs etc. It will help you a lot and cut the initial time for the audit significantly.

    Sorry i wasn't thinking right when I last posted, tou could have had everyone turn their computers off tonight and have a really good audit by 10:00 am.

    I run this continuously but don't allow overwrite of existing reports. In that way I get snapshots and copy the old to an archive folder every week or two and let the process run again. i can compare last to current and see what has changed..... It's very handy.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #28
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    Interesting discussion. I really dont have a lot to add in terms of the the real issue at hand. I just wanted to point out that the Aida32 app that Tiger Shark mentioned isn't so easy to find on the web now since the maker of it has decided to close up shop. It's fairly easy to find the personal edition (think aida32pe_375.zip is the latest there) but the enterprise edition of it, of which I have this one.. aida32ee_388.zip is not such an easy find. In fact, I searched a little bit and thought I found it here but I got a bit confused when I clicked on the download link and it brought me elsewhere.

    I've uploaded my version (aida32ee_388) to the yousendit.com server.. at this place one can upload a file up to 1 gig in size.. But, it will only remain on the server for 7 days and I think there's a restriction on how many times it can be downloaded to prevent the warez folks from abusing the service. So all you other AO'ers.. please don't try and download from this link until after uno has said that he's gotten it.. (if he wants it to begin with) it's 3.058 meg in size.

    and the link to get it is here

  9. #29
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    SumDum: Thanks mate.... I didn't think it would go away on the search engines so quickly. I was only on his site a couple of weeks ago reading about him stopping further maintenance - Bloody shame really it is an incredibly detailed, fast and accurate tool. Two weeks ago all it took was to google aida32 and it was right there at the top of the list..... <sigh>

    Uno: Don't worry about trying to get it. Being the pack rat I am - when I find a good app I archive the setup files. Particularly good/useful apps go on my USB key fob.... Aida32 is there too. If you can't get it from Sumdum's location PM me and I'll give you a login and password to an FTP site and put it there for you.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #30
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Shame about the FEDs

    OK, so let's move on?...............are you going to belly up and let this sack of sh1t get away with it?

    Go to beancounters department (get an NBC suit from your local military surplus stores first) and ask them to pull his expenses claims for the last 5 years, and AUDIT them..........put in a claim for recharges for anything not 100% substantiated.........he WILL understand?

    Also, as he is a slimeball, and you are all bona fide loyal American taxpayers? maybe a sock over the phone call to the IRS would not go astray..............time he had an audit?

    I do not like d1psh1ts...........as you might have gathered?

    Good luck

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •