General discussion

Locked

Intruder Alert How to investigate possible hacking.

By dbell ·
I was scanning through the RAS logs and I saw an attempt to logon by a user who is no longer with the company. I talked to the person whose user ID it was and she says that it wasn't her, futhermore doing a WHOIS on the IP address shows that it is coming from out of state. I was wondering how I can investigate to see if my system was compromised and if I should report these failed logon attempts to the authorities? Any suggestions would be appreciated.

This conversation is currently closed to new comments.

19 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

I am unfamiliar with the RAS log BUT

by DanLM In reply to Intruder Alert How to inv ...

I have issues with people trying to ssh into my home machine all the time.... What I look for, after I firewall the pricks is........ Was a successful log in made? With that I have the ip address of the log in.

Won't the RAS show you the same? Ie, if an actual successful log in occurred with that use rid???

dan

Collapse -

No Sucessful Login

by dbell In reply to I am unfamiliar with the ...

I don't see a sucessful login by that ID. I do have the IP address from the remote access logs. Whois says its owned by rr.com somewhere in Virginia. Should I report this to them?

Collapse -

**** yea, probably won't do any good BUT

by DanLM In reply to No Sucessful Login

I get slammed constantly on my home machine for brute force attempts at ssh. The only time I contact the people is when the IP is based in the united states. And then I provide a copy of the log to back up what I am notifying them of. I always contact their abuse email...

Unfortionally, I have only ever had one company get back to me.... But, I'll be damned if I'll make it easy on people like that. You've gone to this much trouble trying to insure your ok, whats 1 step more to possibly make life miserable for the twit that did this.

Dan

Collapse -

rr eh? They dinged me too

by marathoner In reply to No Sucessful Login

I had ip addys from rr hammering on me too.
Luckily they only annoyed us, didn't really hurt anything.

Collapse -

idealy, you should have a business process in place

by Neon Samurai In reply to Intruder Alert How to inv ...

The previous posts covered question 1; did they actually get in. You should have some standard idea of step to follow, check logs for successful login, where did the intruder go and what did they touch, how did they get in and how can it be corrected.

Ideally, if this is a business, you should have a standard investigation and documentation process setup. It's more responsible for a business to say "someone almost got through, here's what we did to be proactive for next time." Local law should be notified and the remote ISP notified incase the user is a known troublemaker. Even if your going to take the older way of thinking and skip notifying the public or law; document everything and adjust your security settings accordingly. It would also be worth contacting the Hacker Profiling project (sorry, no website link) as they are compiling a database of such attempts.

In a home setting, it's more your call. Was the breach big enough to warrent law enforcement? Was it large enough or repeated frequently enough to warrent notifying the registered owner of the IP address or there ISP? Are you better to simply adjust your security to cover the now discovered whole?

I had someone banging on my FTP server, in that case, it was more fun to turn my security apps back at them; I always did wonder what the look on there face was when they realized they got profiled by the mark (win2k box in North Korea according my trace).

Collapse -

Your correct, if this is a business... Established procedures

by DanLM In reply to idealy, you should have a ...

My experience has been with my home server(FreeBSD), I get attempts every day. They no longer can do brute force attacks because of firewall settings and personal scripts I wrote. 3 times and your out. If I firewall myself from work, I wait till I get home and remove it.

But, even as a home user I have established procedures. Automatic checking of my logs daily, listing off attempts. This is with who is information. ****, I can tell you how many times a specific ip has tried over a period of time.

If it happened once, it's going to happen again. Lessons learned, be prepared so you can followup quickly.

Dan

Collapse -

What Software Are You Using?

by ctmcswain In reply to idealy, you should have a ...

What kind of Security App are you using on your personal box? If you don't mind me asking.

Collapse -

I'm using PF firewall which has throttle support

by DanLM In reply to What Software Are You Usi ...

The OS is FreeBSD 6.1, and they ported over a latter version of the PF packet filter from OpenBSD. PF has throttle support.

pass in on $intf_in proto tcp to $intf_in port ssh flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 5/20, overload <floodtable> flush global)
pass in on $intf_in proto tcp to $intf_in port ftp flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 5/20, overload <floodtable> flush global)


Those two lines in my pf.conf will stop most brute force attacks. More then 5 log in attempts in 20 seconds from the same ip is firewalled.

I then wrote a shell script to parse my auth.log, and firewall stuff identified in that. I have a Perl script that looks through my ftp log looking for these twits. These scripts get run every two minutes.

At the end of the day, I update a MySQL db I built for analysis purposes.

Other then the pf firewall, everything is home grown. I get slammed, this is no lie. I had 3 email notifications yesterday that brute force attempts were attempted against my ftp. This is the norm, no word of lie.

Dan

Collapse -

I can't modify our firewall like that.

by dbell In reply to I'm using PF firewall whi ...

We have a Cisco Pix firewall that is maintained by an outside company. I've never had formal training on firewall config so I feel more comfortable leaving this in their hands. From what they've told me there's no logging on this model so I'm out of luck there, but a good suggestion none the less.

Collapse -

totally understand

by DanLM In reply to I can't modify our firewa ...

This is my home machine and is set up completely how I want it. You have a Cisco firewall, which I believe is hardware. That's much better. What I described is like me running Norton on my windows machine. It's all software. I just have more control over it, that's all.

Dan

Back to Windows Forum
19 total posts (Page 1 of 2)   01 | 02   Next

Operating Systems Forums