Discussions

Intruder Alert How to investigate possible hacking.

Tags:
+
0 Votes
Locked

Intruder Alert How to investigate possible hacking.

dbell
I was scanning through the RAS logs and I saw an attempt to logon by a user who is no longer with the company. I talked to the person whose user ID it was and she says that it wasn't her, futhermore doing a WHOIS on the IP address shows that it is coming from out of state. I was wondering how I can investigate to see if my system was compromised and if I should report these failed logon attempts to the authorities? Any suggestions would be appreciated.
  • +
    0 Votes
    DanLM

    I have issues with people trying to ssh into my home machine all the time.... What I look for, after I firewall the pricks is........ Was a successful log in made? With that I have the ip address of the log in.

    Won't the RAS show you the same? Ie, if an actual successful log in occurred with that use rid???

    dan

    +
    0 Votes
    dbell

    I don't see a sucessful login by that ID. I do have the IP address from the remote access logs. Whois says its owned by rr.com somewhere in Virginia. Should I report this to them?

    +
    0 Votes
    DanLM

    I get slammed constantly on my home machine for brute force attempts at ssh. The only time I contact the people is when the IP is based in the united states. And then I provide a copy of the log to back up what I am notifying them of. I always contact their abuse email...

    Unfortionally, I have only ever had one company get back to me.... But, I'll be damned if I'll make it easy on people like that. You've gone to this much trouble trying to insure your ok, whats 1 step more to possibly make life miserable for the twit that did this.

    Dan

    +
    0 Votes
    marathoner

    I had ip addys from rr hammering on me too.
    Luckily they only annoyed us, didn't really hurt anything.

    +
    0 Votes
    Neon Samurai

    The previous posts covered question 1; did they actually get in. You should have some standard idea of step to follow, check logs for successful login, where did the intruder go and what did they touch, how did they get in and how can it be corrected.

    Ideally, if this is a business, you should have a standard investigation and documentation process setup. It's more responsible for a business to say "someone almost got through, here's what we did to be proactive for next time." Local law should be notified and the remote ISP notified incase the user is a known troublemaker. Even if your going to take the older way of thinking and skip notifying the public or law; document everything and adjust your security settings accordingly. It would also be worth contacting the Hacker Profiling project (sorry, no website link) as they are compiling a database of such attempts.

    In a home setting, it's more your call. Was the breach big enough to warrent law enforcement? Was it large enough or repeated frequently enough to warrent notifying the registered owner of the IP address or there ISP? Are you better to simply adjust your security to cover the now discovered whole?

    I had someone banging on my FTP server, in that case, it was more fun to turn my security apps back at them; I always did wonder what the look on there face was when they realized they got profiled by the mark (win2k box in North Korea according my trace).

    +
    0 Votes
    DanLM

    My experience has been with my home server(FreeBSD), I get attempts every day. They no longer can do brute force attacks because of firewall settings and personal scripts I wrote. 3 times and your out. If I firewall myself from work, I wait till I get home and remove it.

    But, even as a home user I have established procedures. Automatic checking of my logs daily, listing off attempts. This is with who is information. ****, I can tell you how many times a specific ip has tried over a period of time.

    If it happened once, it's going to happen again. Lessons learned, be prepared so you can followup quickly.

    Dan

    +
    0 Votes
    ctmcswain

    What kind of Security App are you using on your personal box? If you don't mind me asking.

    +
    0 Votes
    DanLM

    The OS is FreeBSD 6.1, and they ported over a latter version of the PF packet filter from OpenBSD. PF has throttle support.
    pass in on $intf_in proto tcp to $intf_in port ssh flags S/SA keep state \
    (max-src-conn 10, max-src-conn-rate 5/20, overload <floodtable> flush global)
    pass in on $intf_in proto tcp to $intf_in port ftp flags S/SA keep state \
    (max-src-conn 5, max-src-conn-rate 5/20, overload <floodtable> flush global)


    Those two lines in my pf.conf will stop most brute force attacks. More then 5 log in attempts in 20 seconds from the same ip is firewalled.

    I then wrote a shell script to parse my auth.log, and firewall stuff identified in that. I have a Perl script that looks through my ftp log looking for these twits. These scripts get run every two minutes.

    At the end of the day, I update a MySQL db I built for analysis purposes.

    Other then the pf firewall, everything is home grown. I get slammed, this is no lie. I had 3 email notifications yesterday that brute force attempts were attempted against my ftp. This is the norm, no word of lie.

    Dan

    +
    0 Votes
    dbell

    We have a Cisco Pix firewall that is maintained by an outside company. I've never had formal training on firewall config so I feel more comfortable leaving this in their hands. From what they've told me there's no logging on this model so I'm out of luck there, but a good suggestion none the less.

    +
    0 Votes
    DanLM

    This is my home machine and is set up completely how I want it. You have a Cisco firewall, which I believe is hardware. That's much better. What I described is like me running Norton on my windows machine. It's all software. I just have more control over it, that's all.

    Dan

    +
    0 Votes
    Dr Dij

    security mgmt software reads the logs and filters out false positives generally, and shows relations between events you might not realize were connected;

    it can start incidents and collect all info; they can either shut out the intruder or ask you if you want to.

    and others are right, procedures should be setup

    if you're too small a company, there are managed providers who will monitor

    +
    0 Votes
    sridhar.jayaraman

    Do not investigate without reporting it. File a report with your senior management and if you have a corporate policy in place, this will be passe on to the authorities. There have been many cases where sys admins have investigated and later the evidence failed to stand up in court since the "state of the system has been altered" and "it is no longer possible to vouch for the integrity of the system", whatever that means.

    But if you need to raise **** to get this reported, do so.

    +
    0 Votes
    frvr

    Whether or not this is a business or home use, the proper procedure for you to follow is as listed: 1) notify the abuse address of the ISP with proper documentation of IP address and logs. 2) notify the abuse address that you will be filing a report with both your local authorities and state attorney general. 3) file reports with both your local and state authorities. Since this action originated in Virginia, past experiences that I have had, resulted in immediate investigations especially by the ISP who does not want the "bad" publicity and/or legal actions taken against them. One thing to remember is that although the attack originated in Virgina, this computer might have been compromised and used a zombie for an attack occuring outside the United States. This is why it is imperative that you take these necessary steps, so that all involved can trace the original attempt, and if based in the United States, take appropriate legal action (not necessarily on your part, this might be done by the ISP in compliance with government regulations).

    +
    0 Votes
    dbell

    I sent an email to the ISP reporting the attempted access, I still haven't received a reply yet. We have gotten a lot of directory harvesting spam from this particular ISP so I suspect that this is how they got the username. All of the other entries in the RAS log look legitimate. I will be contacting the authorities shortly. Thanks for all the helpful advice everyone.

    +
    0 Votes
    BALTHOR

    You never know you might be seeing the Gestapo or Cosa Nostra.

    +
    0 Votes
    Stimpi

    Disable RAS in services

    change reg policies to null

    Port scan your self, stuff like that

    If I had an IP I could find the weeknes

    J

    +
    0 Votes
    packetracer

    Contacting the authorities will do nothing for you. It used to be that they won't move a finger unless you have suffered at least $5,000 in damage. That may have changed, but... Either way you have to be certain that you've been broken into before you'll get any help from the authorities.

    You're better off contacting a security company (maybe you have one that you already work with?). They will help you figure out if your servers have been compromised... and will help you prevent a future security problem.

    As far as the login attempts, there are a few things here that you should have done to mitigate any issues:

    1) The user's account should have been disabled as soon as she left the company. You did do that, right?

    2) Your RAS server is patched with the latest patches, right?

    3) Going back in time through the RAS logs. Ideally you kept at least a month worth of your RAS logs. Not many people do that, but you had the foresight to do that, you can go back to see when did the attempts start. They could have been happening while the employee was still with the company.

    4) Firewall logs - all models of the Cisco PIX have logging! You will need to setup a syslog server to start receiving the logs from the PIX.

    5) Make sure that your employees pick secure passwords and change them once every few months. Can be done through Group Policy. You can also run free cracking tools to check the strength of current passwords.

    6) If possible try to figure out how the ex-employee's user name/password was stollen. Did she always login remotely from her own computer? Let her know that she may have malware/keylogged running on her computer.

    Hope that helps!

    +
    0 Votes
    dbell

    1. The user was disabled the day she left and permanently deleted a few months later.

    2. According to the Microsoft Baseline security analyser all the patches are current.

    3. We don't have that much history, but that was the only attempt I see in the last month.

    4. I will have to have a word with our firewall consultant about that.

    5. The group policies have always been enabled with password length and complexity requirements. I haven't tried any password crackers.

    6. I suspect that the hacker got her name from a website or from directory harvesting spam but I can't be sure. No other suspicious attempts have been made to access RAS under any username.

    You're right about the authorities, they were'nt very interested.

    +
    0 Votes
    dbell

    I got another call from the user whos name was used. She said that she gave an old laptop to a friend and it still had the vpn connection set up on it. We have her old business laptop but apparently she had a personal laptop that she also used to connect to the system. She says that she deleted all the company documents from that system, but didn't delete the vpn from network connections. She assures me that this has been done now. It seems like we need better sanitization procedures in place for situations like this but this resolution is preferable to unknown hackers attempting to break in. Thanks for all the help and advice. I have a much better idea what to do next time I see suspicious activity.

  • +
    0 Votes
    DanLM

    I have issues with people trying to ssh into my home machine all the time.... What I look for, after I firewall the pricks is........ Was a successful log in made? With that I have the ip address of the log in.

    Won't the RAS show you the same? Ie, if an actual successful log in occurred with that use rid???

    dan

    +
    0 Votes
    dbell

    I don't see a sucessful login by that ID. I do have the IP address from the remote access logs. Whois says its owned by rr.com somewhere in Virginia. Should I report this to them?

    +
    0 Votes
    DanLM

    I get slammed constantly on my home machine for brute force attempts at ssh. The only time I contact the people is when the IP is based in the united states. And then I provide a copy of the log to back up what I am notifying them of. I always contact their abuse email...

    Unfortionally, I have only ever had one company get back to me.... But, I'll be damned if I'll make it easy on people like that. You've gone to this much trouble trying to insure your ok, whats 1 step more to possibly make life miserable for the twit that did this.

    Dan

    +
    0 Votes
    marathoner

    I had ip addys from rr hammering on me too.
    Luckily they only annoyed us, didn't really hurt anything.

    +
    0 Votes
    Neon Samurai

    The previous posts covered question 1; did they actually get in. You should have some standard idea of step to follow, check logs for successful login, where did the intruder go and what did they touch, how did they get in and how can it be corrected.

    Ideally, if this is a business, you should have a standard investigation and documentation process setup. It's more responsible for a business to say "someone almost got through, here's what we did to be proactive for next time." Local law should be notified and the remote ISP notified incase the user is a known troublemaker. Even if your going to take the older way of thinking and skip notifying the public or law; document everything and adjust your security settings accordingly. It would also be worth contacting the Hacker Profiling project (sorry, no website link) as they are compiling a database of such attempts.

    In a home setting, it's more your call. Was the breach big enough to warrent law enforcement? Was it large enough or repeated frequently enough to warrent notifying the registered owner of the IP address or there ISP? Are you better to simply adjust your security to cover the now discovered whole?

    I had someone banging on my FTP server, in that case, it was more fun to turn my security apps back at them; I always did wonder what the look on there face was when they realized they got profiled by the mark (win2k box in North Korea according my trace).

    +
    0 Votes
    DanLM

    My experience has been with my home server(FreeBSD), I get attempts every day. They no longer can do brute force attacks because of firewall settings and personal scripts I wrote. 3 times and your out. If I firewall myself from work, I wait till I get home and remove it.

    But, even as a home user I have established procedures. Automatic checking of my logs daily, listing off attempts. This is with who is information. ****, I can tell you how many times a specific ip has tried over a period of time.

    If it happened once, it's going to happen again. Lessons learned, be prepared so you can followup quickly.

    Dan

    +
    0 Votes
    ctmcswain

    What kind of Security App are you using on your personal box? If you don't mind me asking.

    +
    0 Votes
    DanLM

    The OS is FreeBSD 6.1, and they ported over a latter version of the PF packet filter from OpenBSD. PF has throttle support.
    pass in on $intf_in proto tcp to $intf_in port ssh flags S/SA keep state \
    (max-src-conn 10, max-src-conn-rate 5/20, overload <floodtable> flush global)
    pass in on $intf_in proto tcp to $intf_in port ftp flags S/SA keep state \
    (max-src-conn 5, max-src-conn-rate 5/20, overload <floodtable> flush global)


    Those two lines in my pf.conf will stop most brute force attacks. More then 5 log in attempts in 20 seconds from the same ip is firewalled.

    I then wrote a shell script to parse my auth.log, and firewall stuff identified in that. I have a Perl script that looks through my ftp log looking for these twits. These scripts get run every two minutes.

    At the end of the day, I update a MySQL db I built for analysis purposes.

    Other then the pf firewall, everything is home grown. I get slammed, this is no lie. I had 3 email notifications yesterday that brute force attempts were attempted against my ftp. This is the norm, no word of lie.

    Dan

    +
    0 Votes
    dbell

    We have a Cisco Pix firewall that is maintained by an outside company. I've never had formal training on firewall config so I feel more comfortable leaving this in their hands. From what they've told me there's no logging on this model so I'm out of luck there, but a good suggestion none the less.

    +
    0 Votes
    DanLM

    This is my home machine and is set up completely how I want it. You have a Cisco firewall, which I believe is hardware. That's much better. What I described is like me running Norton on my windows machine. It's all software. I just have more control over it, that's all.

    Dan

    +
    0 Votes
    Dr Dij

    security mgmt software reads the logs and filters out false positives generally, and shows relations between events you might not realize were connected;

    it can start incidents and collect all info; they can either shut out the intruder or ask you if you want to.

    and others are right, procedures should be setup

    if you're too small a company, there are managed providers who will monitor

    +
    0 Votes
    sridhar.jayaraman

    Do not investigate without reporting it. File a report with your senior management and if you have a corporate policy in place, this will be passe on to the authorities. There have been many cases where sys admins have investigated and later the evidence failed to stand up in court since the "state of the system has been altered" and "it is no longer possible to vouch for the integrity of the system", whatever that means.

    But if you need to raise **** to get this reported, do so.

    +
    0 Votes
    frvr

    Whether or not this is a business or home use, the proper procedure for you to follow is as listed: 1) notify the abuse address of the ISP with proper documentation of IP address and logs. 2) notify the abuse address that you will be filing a report with both your local authorities and state attorney general. 3) file reports with both your local and state authorities. Since this action originated in Virginia, past experiences that I have had, resulted in immediate investigations especially by the ISP who does not want the "bad" publicity and/or legal actions taken against them. One thing to remember is that although the attack originated in Virgina, this computer might have been compromised and used a zombie for an attack occuring outside the United States. This is why it is imperative that you take these necessary steps, so that all involved can trace the original attempt, and if based in the United States, take appropriate legal action (not necessarily on your part, this might be done by the ISP in compliance with government regulations).

    +
    0 Votes
    dbell

    I sent an email to the ISP reporting the attempted access, I still haven't received a reply yet. We have gotten a lot of directory harvesting spam from this particular ISP so I suspect that this is how they got the username. All of the other entries in the RAS log look legitimate. I will be contacting the authorities shortly. Thanks for all the helpful advice everyone.

    +
    0 Votes
    BALTHOR

    You never know you might be seeing the Gestapo or Cosa Nostra.

    +
    0 Votes
    Stimpi

    Disable RAS in services

    change reg policies to null

    Port scan your self, stuff like that

    If I had an IP I could find the weeknes

    J

    +
    0 Votes
    packetracer

    Contacting the authorities will do nothing for you. It used to be that they won't move a finger unless you have suffered at least $5,000 in damage. That may have changed, but... Either way you have to be certain that you've been broken into before you'll get any help from the authorities.

    You're better off contacting a security company (maybe you have one that you already work with?). They will help you figure out if your servers have been compromised... and will help you prevent a future security problem.

    As far as the login attempts, there are a few things here that you should have done to mitigate any issues:

    1) The user's account should have been disabled as soon as she left the company. You did do that, right?

    2) Your RAS server is patched with the latest patches, right?

    3) Going back in time through the RAS logs. Ideally you kept at least a month worth of your RAS logs. Not many people do that, but you had the foresight to do that, you can go back to see when did the attempts start. They could have been happening while the employee was still with the company.

    4) Firewall logs - all models of the Cisco PIX have logging! You will need to setup a syslog server to start receiving the logs from the PIX.

    5) Make sure that your employees pick secure passwords and change them once every few months. Can be done through Group Policy. You can also run free cracking tools to check the strength of current passwords.

    6) If possible try to figure out how the ex-employee's user name/password was stollen. Did she always login remotely from her own computer? Let her know that she may have malware/keylogged running on her computer.

    Hope that helps!

    +
    0 Votes
    dbell

    1. The user was disabled the day she left and permanently deleted a few months later.

    2. According to the Microsoft Baseline security analyser all the patches are current.

    3. We don't have that much history, but that was the only attempt I see in the last month.

    4. I will have to have a word with our firewall consultant about that.

    5. The group policies have always been enabled with password length and complexity requirements. I haven't tried any password crackers.

    6. I suspect that the hacker got her name from a website or from directory harvesting spam but I can't be sure. No other suspicious attempts have been made to access RAS under any username.

    You're right about the authorities, they were'nt very interested.

    +
    0 Votes
    dbell

    I got another call from the user whos name was used. She said that she gave an old laptop to a friend and it still had the vpn connection set up on it. We have her old business laptop but apparently she had a personal laptop that she also used to connect to the system. She says that she deleted all the company documents from that system, but didn't delete the vpn from network connections. She assures me that this has been done now. It seems like we need better sanitization procedures in place for situations like this but this resolution is preferable to unknown hackers attempting to break in. Thanks for all the help and advice. I have a much better idea what to do next time I see suspicious activity.