Hacked network...

[brokencrow]

...I'm well-versed in Smoothwall, using it on a network of my own. He-heh, even built it my own self (I had to do something with those ol' Pentium I's). But the Pix is what we got. Reckon I'll have to dig out the password and check it out. I have yet to have a good look at it.

Thinkm this is what I'm going to do:

1) run HijackThis on everything (I'm well-versed in that one, too) to look for anything unusual like keyloggers (lawdy, I dread what the server's log file will look like...).

2) run RAV's online AV scan (I've found that one to be the best out there).

3) do this on Saturday when it's slow and I'm able to take anything offline without incurring the usual wrath of my fellows.

Thoughts?

[Guus]

Thought: You're mostly concentrating on removing the concequenses of the hack, you're not really looking for the origin of it. You might get lucky and find some trojan, but that trojan had to come from somewhere. I would go as MSMittens suggested and install an IDS to track intrusion attempts on your network.

[Tiger Shark]

You have a single problem..... You don't know what it is you are looking for at this point.... All the trojan scanners, AV app, etc. etc. etc. won't help you if the code is altered or home grown.

Hijack this might work but it suffers from a major failing.... It only shows the processes not the threads running within them. Process Explorer from SysInternals is a better choice but you need to know what are normal threads within key processes and what are abnormal which is quite a feat unless you know what you are looking for in the first place.... So that's something of a dead end too.

If these kids really did "use your hardware" then there isn't anything there you can trust. Clearly, downing and re-imaging all the boxes, while thoroughly recommended in this situation, doesn't seem to be a viable solution either....

Which leads to Ms. M. and Guus' solution coupled with doing what you can to move the "obvious" stuff and a _very_ strict ingress and egress policy on the Pix... I would start by blocking _all_ inbound and _all_ outbound traffic through the Pix. The open only those ports that are _required_ for business to continue. Log every attempt to come in or go out and look for things that don't look right.... Odd ports, odd times, (leave all the boxes on 25/7.... If you dont then something that wanted to run might not be able to and you will miss it in the long run as you begin to believe that you have successfully cleaned the problem), odd destinations, (I don't know if you can turn on host resolution on the Pix but if you can I would recommend it - then you can look at the destinations that do not resolve and those that do but to odd locations when coupled with the port tried).

Then you need two more things.....

Snort is king.... .... Fire it up at the gateway and select only the rules that deal with an internal network, (SMB etc.), and rules that are affected by the open ports you need to conduct business, (the firewall logs will alert you to the clearly "bad" traffic), and monitor the snort logs carefully.

Lastly, and as a final "safety net" pop an ethereal box there, (of let it share the snort box, 13 or so computers shouldn't be able to max out the box), and capture all traffic inbound and out so that when you have suspicions about certain connection attempts or internal boxes you have a complete record of what went on.....

Then I'd start looking at the boxes themselves....

Good luck.....

[kr5kernel]

Another point is cost, a well built firewall distro on a crappy or even have way decent box will run a lot less expense than a pix firewall. Its money you could save and invest in a better networked anti virus solution. It's all about the bottom line to a lot of businesses.

[brokencrow]

...guess I got my work cut out for me. Just took Beagle.BD off one of the service dept's computer.

Don't know snort though I put it on my W2K laptop (Windows-port). I've run ethereal from the same laptop a time or two though I'm on the learning curve there still.

Could I run Knoppix STD live linux cd off one of the workstations? I've used a numver of the live-cd's out there: Insert, Knoppix. Knoppix-STD. Can't say I'm too familiar with snort, but I'm a fast learner typically. Any good tutorials out there? I know the networking company we use is a Windows shop, the one guy I've talked to is useless on linux.

What a great forum...

[Tiger Shark]

This might help.... Since I am the author fire away with any questions.... You might want to combine some of the hardware to your laptop for example but it should give you a good start.

[brokencrow]

...not sure the boss has as much confidence in me on the server as he does this networking outfit. I'd like to try the Knoppix-STD cd on a workstation though...

[Tiger Shark]

I would suggest that since the manifestation of the Hack took place not longer after this "networking outfit" graced you with their "upgrade" that the "networking outfit" may be the cause of your problems rather than the solution.... Let's see... They stuck your one and only production server as the gateway to the network..... Did they ever hear of "best practice" let alone common sense..... My response to that suggestion would have been "Pick yer window.... Yer leaving"... You'd have been better off putting a Linksys in.....

Just my thoughts on the issue..... I could be wrong.... but you can quote me if you like......

[brokencrow]

...the latest virus-laden emails coming in, even though they show one of our email addresses, are actually originating from Cinergy up in Evansville, IN, now. At least according to the headers. I'll keep an eye on any more of these rogue emails. Can the Beagle virus spoof ip addresses in the headers?

Yeah, Tiger Shark, I'm not too hot on that fancy-pants networking outfit either...

[brokencrow]

...it was set up like that on the old server, they had an ISA firewall, for what IT'S worth, configured on it, and it worked ok. Not my choice, I like a lot of layers in there. Make 'em work for it I say.