Hacked network...

[brokencrow]

Had a big networking outfit come in and put in a new server at our company (one server, 12 desktops). The decision was made migrate W2K Server from the old server to the new one, including the old ISA firewall (this last one was not my idea!). The server also functions as a proxy & a gateway (it's got two nics). I'm the in-house support guy.

Things were ok for a couple of weeks and then we had a few problems with the server. Various .exe files issued memory address errors and a couple of printers would go offline, making themselves unavailable to the desktops. My first reaction was "hardware".

We had the networking company come back out, they explained that the ISA 2000 firewall was old tech and the server had been hacked. They cleaned things up a bit and installed a Cisco Pix firewall. It was VERY expensive, and my sense is they should've put us in the Pix to begin with.

Now we got hit with both Netsky and Bagle viruses on two machines. I shook those down using RAV's online virus scan, downloaded Symantec's virus removal tools and thought I had everything cleaned up (also scanned the server). But today, I was still getting odd emails from our network that had .cpl attachments, typically viral, but in this case null (0 bytes) files.

Any thoughts on how to proceed? I'm thinking of running RAV's online scan on everything come Saturday when it's slow. This networking outfit put us in CA's network antivirus software over a year ago, and apparently put it on the new server, but I'm guessing it's not set up right, so I'll probably wade into that too. I hate to call these guys because it's $2000 everytime they send a couple of guys out for half-a-day on short notice, and they don't tell us anything. I'd like to at least be grounded enough in our problem that I can doublecheck their work.

Should I be checking for files on the server like netcat or some other remote access stuff that an AV program would miss? I'm familiar with ethereal though it would be some work, could I put that on the network and track down these rogues?

Thanks.

[brokencrow]

...our finance guy is got an email from himself today saying "Thanks for letting us use your hardware". He didn't send it apparently and he deleted it before I got a chance to read the headers.

[gore]

Hahahahahahahahahaha! Now THAT is rubbing it in!

Anyway, I used to have problems like this too and having to clean my cousin's machine all the time because hes not a computer dude. I'd have to clean up the trojan infected mess he made fur alle toggen.

I found a great way to get rid of that problem though when I installed this great anti virii here

[XTC46]

For a netowrk your size, I would recommend taking all machines off the network and cleaning each one individualy. Its a hassel but what it probably happening is that you clean one machine and then the virus has already spread to another. so its just a big circle of chase the virus.

so take everyone off the network. Get the tools on a disk and clean EVERY SINGLE MACHINE then hoook them back up to the netowrk as you clean them. Make sure they ALL have the most recent viris def.'s and be sure to keep them updated with all OS updates. this includes your firewalls firmware.

[gore]

You have got to be shitting. Do you know how plausible it is to take that many machines off the network without users, the boss and the CEO killing you? You can't do that. If something happens while the machines are offline, you're ****ed. My idea may not be popular or super plausible but it would work. You could start cleaning boxes while the SUSE machines were up and running. When you get one cleaned, put it to the side. They could all use SUSE for servers and they won't get any worms.

[XTC46]

its 12 workstations and a server. with 2 people going at it it would take less then 2 hours of complete downtime. do the server first, and do it after hours. its not that big of a deal. easily doable.

[MrLinus]

I'd have to agree with XTC. A documented plan as to how you are going to go through each machine will make it faster.

I'd also suggest some of the following:

- do a check for any unusual programs (keyloggers) as well as any physical "things" that shouldn't be there (physical keyloggers)
- change passwords after they've been cleaned and before you put them back on the network
- you might want to consider looking at having another AV scanner tool as a double-check (perhaps after you've cleaned them initially, connect to the network using safe-mode and visit TrendMicro's Housecall)
- change the password for the PIX as well
- install an IDS perhaps?

It does sound like you need something to detect attacks on the network. Where is the mail server for your company? If you run it, is it possible that the email message was just someone messing around? Granted it was from the finance guy to himself but is there a chance of an open relay?

My idea may not be popular or super plausible but it would work.

Lastly, Gore, if you're not going to suggest something that is useful, please don't suggest it. Seriously. While SUSE is wonderful and all, if someone is a Windows admin, it doesn't help them and can make things worse. For whatever reason, his company has chosen Windows and he has to support it since that is the company choice (right or wrong). Installing SUSE isn't the answer since it could open up more issues if he's not familar with it and what they may be. Particuarly since we don't know what the server is used for. (Print server? file server? SQL database? Web? Mail?)

[idmismatch]

Gore, you have to think outside the "SuSE's the best, install it on everything that understands binary" box. I know you love SuSE, and I don't blame you, but it's just not the best solution in all cases.

The business case for taking all the machines off the network is good, especially if weekend work is available.

The business case for installing SuSE on all PCs isn't great when you build in either Crossover Office or training for OpenOffice. Think also about MS Access apps that are often used by small offices - they aren't going to transfer that nicely.

The business case for installing SuSE on servers is either bad or terrible, depending on what's on the servers. I don't know how well apache run .asp pages, for example. Maybe it does, but I'm sure you can see the possible problems.

The deal is here that it's a real company with real needs. It's not just a fantasy world where SuSE can be plugged in to make everything better.

Hell, I'd love to replace all my Windows installations with SuSE, but I don't have the time (or inclination) to train the users.

[idmismatch]

Oh, as an aside, one thing I _would_ replace with Linux is the firewall. Smoothwall's nice and it'll work just fine for such a small setup (assuming you don't have insane amounts of data going in and out). Even better, you don't need to know much about Linux.

www.smoothwall.org is the site for the GPL version.

[MrLinus]

Oh, as an aside, one thing I _would_ replace with Linux is the firewall.

You'd replace a hardware firewall like Pix with a software firewall!? Why?