(idea) by Frater 219 Sat Jun 16 2001 at 5:45:15
Not long ago, and not entirely without preparation, the burden of monitoring network security at my workplace was placed upon my shoulders. The following is the text of a message I recently sent to a coworker, to tell her that her workstation had been broken into.

Names and addresses of people and computers have been changed; names of IRC networks and countries have not. Hardlinks and some other markup have been added. The grammar is a bit rough in spots, and there's a typo or two; I've left these intact. I still find writing these messages a bit stressful.

Marie --

It appears that yourbox.example.net has been cracked, and has been since Wednesday. The DNS tables say that this is a machine in your office. This message is to let you know that I've blocked it from the outside Internet, and to let you know the reasons I believe it's compromised. I recommend that the operating system be reinstalled and upgraded to the latest release before it be allowed on the outside Net again.


Our security monitoring software picked up a large quantity of unusual-looking IRC (Internet Relay Chat) activity from yourbox to irc.example.edu. Specifically, it appears that yourbox is exchanging some sort of binary data with a user named "CrAcKeR" on the EFnet IRC network. By logging onto EFnet and querying this user's profile there, I gathered that s/he is some sort of crook -- s/he's logged into multiple bootleg-software-trading and cracking-oriented chat channels.

On the strength of this evidence, I conducted a portscan of yourbox from my host (mybox.example.net). This turned up several unusual open ports, notably TCP ports 9886, 9887, and 22102. 22012 appears to be an SSH server running on a nonstandard port; this has recently become a common thing for crackers to install. 9886 and 9887 both seem to be running a daemon which asks "Who are you?" when one telnets to it -- probably a back door of some sort.

It appears that the system was cracked on Wednesday the 13th, around 5:57 AM. I'm not sure how the crack was performed. The first sign of hostile activity I've found in the logs is an access to port 22102, the backdoor SSH port, from a node in Israel, 127.123.45.67 (no DNS name). There follows some FTP activity with another Israeli system, 127.234.56.78 (ftp.example.org.il); this is probably when yourbox downloaded the IRC backdoor software. After that, it begins to access several IRC servers, finally settling on irc.example.edu.


We recommend that when a host is compromised in this fashion, that the operating system binaries and system configuration (crontabs, scripts, etc.) be completely reinstalled from known-good media, then brought up to date with the vendor's latest security patches. This is because it is near-impossible to root out all the modifications the cracker may have made -- backdoors, trojaned copies of system binaries, and the like.

Sorry to be the bearer of ill news, but ... these things happen. I hope this won't be too much more trouble. Please let me know if I can be of any assistance in getting this system working securely again.

Thanks.

del.icio.us Facebook Digg StumbleUpon Reddit   (I like it!)
Y'know, if you log in, you can write something here, or contact authors directly on the site. Create a New User if you don't already have an account.