General discussion

  • Creator
    Topic
  • #2252480

    Intruder Alert How to investigate possible hacking.

    Locked

    by dbell ·

    I was scanning through the RAS logs and I saw an attempt to logon by a user who is no longer with the company. I talked to the person whose user ID it was and she says that it wasn’t her, futhermore doing a WHOIS on the IP address shows that it is coming from out of state. I was wondering how I can investigate to see if my system was compromised and if I should report these failed logon attempts to the authorities? Any suggestions would be appreciated.

All Comments

  • Author
    Replies
    • #2492471

      I am unfamiliar with the RAS log BUT

      by danlm ·

      In reply to Intruder Alert How to investigate possible hacking.

      I have issues with people trying to ssh into my home machine all the time…. What I look for, after I firewall the pricks is…….. Was a successful log in made? With that I have the ip address of the log in.

      Won’t the RAS show you the same? Ie, if an actual successful log in occurred with that use rid???

      dan

      • #2490911

        No Sucessful Login

        by dbell ·

        In reply to I am unfamiliar with the RAS log BUT

        I don’t see a sucessful login by that ID. I do have the IP address from the remote access logs. Whois says its owned by rr.com somewhere in Virginia. Should I report this to them?

        • #2490907

          Hell yea, probably won’t do any good BUT

          by danlm ·

          In reply to No Sucessful Login

          I get slammed constantly on my home machine for brute force attempts at ssh. The only time I contact the people is when the IP is based in the united states. And then I provide a copy of the log to back up what I am notifying them of. I always contact their abuse email…

          Unfortionally, I have only ever had one company get back to me…. But, I’ll be damned if I’ll make it easy on people like that. You’ve gone to this much trouble trying to insure your ok, whats 1 step more to possibly make life miserable for the twit that did this.

          Dan

        • #2507530

          rr eh? They dinged me too

          by marathoner ·

          In reply to No Sucessful Login

          I had ip addys from rr hammering on me too.
          Luckily they only annoyed us, didn’t really hurt anything.

    • #2490899

      idealy, you should have a business process in place

      by neon samurai ·

      In reply to Intruder Alert How to investigate possible hacking.

      The previous posts covered question 1; did they actually get in. You should have some standard idea of step to follow, check logs for successful login, where did the intruder go and what did they touch, how did they get in and how can it be corrected.

      Ideally, if this is a business, you should have a standard investigation and documentation process setup. It’s more responsible for a business to say “someone almost got through, here’s what we did to be proactive for next time.” Local law should be notified and the remote ISP notified incase the user is a known troublemaker. Even if your going to take the older way of thinking and skip notifying the public or law; document everything and adjust your security settings accordingly. It would also be worth contacting the Hacker Profiling project (sorry, no website link) as they are compiling a database of such attempts.

      In a home setting, it’s more your call. Was the breach big enough to warrent law enforcement? Was it large enough or repeated frequently enough to warrent notifying the registered owner of the IP address or there ISP? Are you better to simply adjust your security to cover the now discovered whole?

      I had someone banging on my FTP server, in that case, it was more fun to turn my security apps back at them; I always did wonder what the look on there face was when they realized they got profiled by the mark (win2k box in North Korea according my trace).

      • #2507066

        Your correct, if this is a business… Established procedures

        by danlm ·

        In reply to idealy, you should have a business process in place

        My experience has been with my home server(FreeBSD), I get attempts every day. They no longer can do brute force attacks because of firewall settings and personal scripts I wrote. 3 times and your out. If I firewall myself from work, I wait till I get home and remove it.

        But, even as a home user I have established procedures. Automatic checking of my logs daily, listing off attempts. This is with who is information. Hell, I can tell you how many times a specific ip has tried over a period of time.

        If it happened once, it’s going to happen again. Lessons learned, be prepared so you can followup quickly.

        Dan

      • #2506847

        What Software Are You Using?

        by ctmcswain ·

        In reply to idealy, you should have a business process in place

        What kind of Security App are you using on your personal box? If you don’t mind me asking.

        • #2506742

          I’m using PF firewall which has throttle support

          by danlm ·

          In reply to What Software Are You Using?

          The OS is FreeBSD 6.1, and they ported over a latter version of the PF packet filter from OpenBSD. PF has throttle support.
          [i]
          pass in on $intf_in proto tcp to $intf_in port ssh flags S/SA keep state \
          (max-src-conn 10, max-src-conn-rate 5/20, overload flush global)
          pass in on $intf_in proto tcp to $intf_in port ftp flags S/SA keep state \
          (max-src-conn 5, max-src-conn-rate 5/20, overload
          flush global)
          [/i]

          Those two lines in my pf.conf will stop most brute force attacks. More then 5 log in attempts in 20 seconds from the same ip is firewalled.

          I then wrote a shell script to parse my auth.log, and firewall stuff identified in that. I have a Perl script that looks through my ftp log looking for these twits. These scripts get run every two minutes.

          At the end of the day, I update a MySQL db I built for analysis purposes.

          Other then the pf firewall, everything is home grown. I get slammed, this is no lie. I had 3 email notifications yesterday that brute force attempts were attempted against my ftp. This is the norm, no word of lie.

          Dan

        • #2508096

          I can’t modify our firewall like that.

          by dbell ·

          In reply to I’m using PF firewall which has throttle support

          We have a Cisco Pix firewall that is maintained by an outside company. I’ve never had formal training on firewall config so I feel more comfortable leaving this in their hands. From what they’ve told me there’s no logging on this model so I’m out of luck there, but a good suggestion none the less.

        • #2508077

          totally understand

          by danlm ·

          In reply to I can’t modify our firewall like that.

          This is my home machine and is set up completely how I want it. You have a Cisco firewall, which I believe is hardware. That’s much better. What I described is like me running Norton on my windows machine. It’s all software. I just have more control over it, that’s all.

          Dan

    • #2507035

      and a ESM

      by dr dij ·

      In reply to Intruder Alert How to investigate possible hacking.

      security mgmt software reads the logs and filters out false positives generally, and shows relations between events you might not realize were connected;

      it can start incidents and collect all info; they can either shut out the intruder or ask you if you want to.

      and others are right, procedures should be setup

      if you’re too small a company, there are managed providers who will monitor

    • #2506906

      Report before you take action

      by sridhar.jayaraman ·

      In reply to Intruder Alert How to investigate possible hacking.

      Do not investigate without reporting it. File a report with your senior management and if you have a corporate policy in place, this will be passe on to the authorities. There have been many cases where sys admins have investigated and later the evidence failed to stand up in court since the “state of the system has been altered” and “it is no longer possible to vouch for the integrity of the system”, whatever that means.

      But if you need to raise hell to get this reported, do so.

    • #2506834

      Proper Proceduers

      by frvr ·

      In reply to Intruder Alert How to investigate possible hacking.

      Whether or not this is a business or home use, the proper procedure for you to follow is as listed: 1) notify the abuse address of the ISP with proper documentation of IP address and logs. 2) notify the abuse address that you will be filing a report with both your local authorities and state attorney general. 3) file reports with both your local and state authorities. Since this action originated in Virginia, past experiences that I have had, resulted in immediate investigations especially by the ISP who does not want the “bad” publicity and/or legal actions taken against them. One thing to remember is that although the attack originated in Virgina, this computer might have been compromised and used a zombie for an attack occuring outside the United States. This is why it is imperative that you take these necessary steps, so that all involved can trace the original attempt, and if based in the United States, take appropriate legal action (not necessarily on your part, this might be done by the ISP in compliance with government regulations).

      • #2508099

        I’ve notified the ISP

        by dbell ·

        In reply to Proper Proceduers

        I sent an email to the ISP reporting the attempted access, I still haven’t received a reply yet. We have gotten a lot of directory harvesting spam from this particular ISP so I suspect that this is how they got the username. All of the other entries in the RAS log look legitimate. I will be contacting the authorities shortly. Thanks for all the helpful advice everyone.

    • #2508004

      CONTACT LAW ENFORCEMENT

      by balthor ·

      In reply to Intruder Alert How to investigate possible hacking.

      You never know you might be seeing the Gestapo or Cosa Nostra.

    • #2507537

      Come on

      by stimpi ·

      In reply to Intruder Alert How to investigate possible hacking.

      Disable RAS in services

      change reg policies to null

      Port scan your self, stuff like that

      If I had an IP I could find the weeknes

      J

    • #2507330

      Don’t be silly…

      by packetracer ·

      In reply to Intruder Alert How to investigate possible hacking.

      Contacting the authorities will do nothing for you. It used to be that they won’t move a finger unless you have suffered at least $5,000 in damage. That may have changed, but… Either way you have to be certain that you’ve been broken into before you’ll get any help from the authorities.

      You’re better off contacting a security company (maybe you have one that you already work with?). They will help you figure out if your servers have been compromised… and will help you prevent a future security problem.

      As far as the login attempts, there are a few things here that you should have done to mitigate any issues:

      1) The user’s account should have been disabled as soon as she left the company. You did do that, right?

      2) Your RAS server is patched with the latest patches, right?

      3) Going back in time through the RAS logs. Ideally you kept at least a month worth of your RAS logs. Not many people do that, but you had the foresight to do that, you can go back to see when did the attempts start. They could have been happening while the employee was still with the company.

      4) Firewall logs – all models of the Cisco PIX have logging! You will need to setup a syslog server to start receiving the logs from the PIX.

      5) Make sure that your employees pick secure passwords and change them once every few months. Can be done through Group Policy. You can also run free cracking tools to check the strength of current passwords.

      6) If possible try to figure out how the ex-employee’s user name/password was stollen. Did she always login remotely from her own computer? Let her know that she may have malware/keylogged running on her computer.

      Hope that helps!

      • #2508775

        You’re right

        by dbell ·

        In reply to Don’t be silly…

        1. The user was disabled the day she left and permanently deleted a few months later.

        2. According to the Microsoft Baseline security analyser all the patches are current.

        3. We don’t have that much history, but that was the only attempt I see in the last month.

        4. I will have to have a word with our firewall consultant about that.

        5. The group policies have always been enabled with password length and complexity requirements. I haven’t tried any password crackers.

        6. I suspect that the hacker got her name from a website or from directory harvesting spam but I can’t be sure. No other suspicious attempts have been made to access RAS under any username.

        You’re right about the authorities, they were’nt very interested.

    • #2506678

      Mystery Solved

      by dbell ·

      In reply to Intruder Alert How to investigate possible hacking.

      I got another call from the user whos name was used. She said that she gave an old laptop to a friend and it still had the vpn connection set up on it. We have her old business laptop but apparently she had a personal laptop that she also used to connect to the system. She says that she deleted all the company documents from that system, but didn’t delete the vpn from network connections. She assures me that this has been done now. It seems like we need better sanitization procedures in place for situations like this but this resolution is preferable to unknown hackers attempting to break in. Thanks for all the help and advice. I have a much better idea what to do next time I see suspicious activity.

Viewing 8 reply threads