General discussion
-
CreatorTopic
-
January 22, 2007 at 8:38 am #2252480
Intruder Alert How to investigate possible hacking.
Lockedby dbell · about 17 years, 2 months ago
I was scanning through the RAS logs and I saw an attempt to logon by a user who is no longer with the company. I talked to the person whose user ID it was and she says that it wasn’t her, futhermore doing a WHOIS on the IP address shows that it is coming from out of state. I was wondering how I can investigate to see if my system was compromised and if I should report these failed logon attempts to the authorities? Any suggestions would be appreciated.
Topic is locked -
CreatorTopic
All Comments
-
AuthorReplies
-
-
January 22, 2007 at 9:48 am #2492471
I am unfamiliar with the RAS log BUT
by danlm · about 17 years, 2 months ago
In reply to Intruder Alert How to investigate possible hacking.
I have issues with people trying to ssh into my home machine all the time…. What I look for, after I firewall the pricks is…….. Was a successful log in made? With that I have the ip address of the log in.
Won’t the RAS show you the same? Ie, if an actual successful log in occurred with that use rid???
dan
-
January 24, 2007 at 10:40 am #2490911
No Sucessful Login
by dbell · about 17 years, 2 months ago
In reply to I am unfamiliar with the RAS log BUT
I don’t see a sucessful login by that ID. I do have the IP address from the remote access logs. Whois says its owned by rr.com somewhere in Virginia. Should I report this to them?
-
January 24, 2007 at 10:51 am #2490907
Hell yea, probably won’t do any good BUT
by danlm · about 17 years, 2 months ago
In reply to No Sucessful Login
I get slammed constantly on my home machine for brute force attempts at ssh. The only time I contact the people is when the IP is based in the united states. And then I provide a copy of the log to back up what I am notifying them of. I always contact their abuse email…
Unfortionally, I have only ever had one company get back to me…. But, I’ll be damned if I’ll make it easy on people like that. You’ve gone to this much trouble trying to insure your ok, whats 1 step more to possibly make life miserable for the twit that did this.
Dan
-
January 27, 2007 at 8:54 am #2507530
rr eh? They dinged me too
by marathoner · about 17 years, 2 months ago
In reply to No Sucessful Login
I had ip addys from rr hammering on me too.
Luckily they only annoyed us, didn’t really hurt anything.
-
-
-
January 24, 2007 at 11:03 am #2490899
idealy, you should have a business process in place
by neon samurai · about 17 years, 2 months ago
In reply to Intruder Alert How to investigate possible hacking.
The previous posts covered question 1; did they actually get in. You should have some standard idea of step to follow, check logs for successful login, where did the intruder go and what did they touch, how did they get in and how can it be corrected.
Ideally, if this is a business, you should have a standard investigation and documentation process setup. It’s more responsible for a business to say “someone almost got through, here’s what we did to be proactive for next time.” Local law should be notified and the remote ISP notified incase the user is a known troublemaker. Even if your going to take the older way of thinking and skip notifying the public or law; document everything and adjust your security settings accordingly. It would also be worth contacting the Hacker Profiling project (sorry, no website link) as they are compiling a database of such attempts.
In a home setting, it’s more your call. Was the breach big enough to warrent law enforcement? Was it large enough or repeated frequently enough to warrent notifying the registered owner of the IP address or there ISP? Are you better to simply adjust your security to cover the now discovered whole?
I had someone banging on my FTP server, in that case, it was more fun to turn my security apps back at them; I always did wonder what the look on there face was when they realized they got profiled by the mark (win2k box in North Korea according my trace).
-
January 24, 2007 at 12:30 pm #2507066
Your correct, if this is a business… Established procedures
by danlm · about 17 years, 2 months ago
In reply to idealy, you should have a business process in place
My experience has been with my home server(FreeBSD), I get attempts every day. They no longer can do brute force attacks because of firewall settings and personal scripts I wrote. 3 times and your out. If I firewall myself from work, I wait till I get home and remove it.
But, even as a home user I have established procedures. Automatic checking of my logs daily, listing off attempts. This is with who is information. Hell, I can tell you how many times a specific ip has tried over a period of time.
If it happened once, it’s going to happen again. Lessons learned, be prepared so you can followup quickly.
Dan
-
January 25, 2007 at 5:24 am #2506847
What Software Are You Using?
by ctmcswain · about 17 years, 2 months ago
In reply to idealy, you should have a business process in place
What kind of Security App are you using on your personal box? If you don’t mind me asking.
-
January 25, 2007 at 8:32 am #2506742
I’m using PF firewall which has throttle support
by danlm · about 17 years, 2 months ago
In reply to What Software Are You Using?
The OS is FreeBSD 6.1, and they ported over a latter version of the PF packet filter from OpenBSD. PF has throttle support.
[i]
pass in on $intf_in proto tcp to $intf_in port ssh flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 5/20, overloadflush global)
pass in on $intf_in proto tcp to $intf_in port ftp flags S/SA keep state \
(max-src-conn 5, max-src-conn-rate 5/20, overloadflush global)
[/i]Those two lines in my pf.conf will stop most brute force attacks. More then 5 log in attempts in 20 seconds from the same ip is firewalled.
I then wrote a shell script to parse my auth.log, and firewall stuff identified in that. I have a Perl script that looks through my ftp log looking for these twits. These scripts get run every two minutes.
At the end of the day, I update a MySQL db I built for analysis purposes.
Other then the pf firewall, everything is home grown. I get slammed, this is no lie. I had 3 email notifications yesterday that brute force attempts were attempted against my ftp. This is the norm, no word of lie.
Dan
-
January 25, 2007 at 10:40 am #2508096
I can’t modify our firewall like that.
by dbell · about 17 years, 2 months ago
In reply to I’m using PF firewall which has throttle support
We have a Cisco Pix firewall that is maintained by an outside company. I’ve never had formal training on firewall config so I feel more comfortable leaving this in their hands. From what they’ve told me there’s no logging on this model so I’m out of luck there, but a good suggestion none the less.
-
January 25, 2007 at 11:33 am #2508077
totally understand
by danlm · about 17 years, 2 months ago
In reply to I can’t modify our firewall like that.
This is my home machine and is set up completely how I want it. You have a Cisco firewall, which I believe is hardware. That’s much better. What I described is like me running Norton on my windows machine. It’s all software. I just have more control over it, that’s all.
Dan
-
-
-
January 24, 2007 at 2:21 pm #2507035
and a ESM
by dr dij · about 17 years, 2 months ago
In reply to Intruder Alert How to investigate possible hacking.
security mgmt software reads the logs and filters out false positives generally, and shows relations between events you might not realize were connected;
it can start incidents and collect all info; they can either shut out the intruder or ask you if you want to.
and others are right, procedures should be setup
if you’re too small a company, there are managed providers who will monitor
-
January 25, 2007 at 1:37 am #2506906
Report before you take action
by sridhar.jayaraman · about 17 years, 2 months ago
In reply to Intruder Alert How to investigate possible hacking.
Do not investigate without reporting it. File a report with your senior management and if you have a corporate policy in place, this will be passe on to the authorities. There have been many cases where sys admins have investigated and later the evidence failed to stand up in court since the “state of the system has been altered” and “it is no longer possible to vouch for the integrity of the system”, whatever that means.
But if you need to raise hell to get this reported, do so.
-
January 25, 2007 at 5:54 am #2506834
Proper Proceduers
by frvr · about 17 years, 2 months ago
In reply to Intruder Alert How to investigate possible hacking.
Whether or not this is a business or home use, the proper procedure for you to follow is as listed: 1) notify the abuse address of the ISP with proper documentation of IP address and logs. 2) notify the abuse address that you will be filing a report with both your local authorities and state attorney general. 3) file reports with both your local and state authorities. Since this action originated in Virginia, past experiences that I have had, resulted in immediate investigations especially by the ISP who does not want the “bad” publicity and/or legal actions taken against them. One thing to remember is that although the attack originated in Virgina, this computer might have been compromised and used a zombie for an attack occuring outside the United States. This is why it is imperative that you take these necessary steps, so that all involved can trace the original attempt, and if based in the United States, take appropriate legal action (not necessarily on your part, this might be done by the ISP in compliance with government regulations).
-
January 25, 2007 at 10:34 am #2508099
I’ve notified the ISP
by dbell · about 17 years, 2 months ago
In reply to Proper Proceduers
I sent an email to the ISP reporting the attempted access, I still haven’t received a reply yet. We have gotten a lot of directory harvesting spam from this particular ISP so I suspect that this is how they got the username. All of the other entries in the RAS log look legitimate. I will be contacting the authorities shortly. Thanks for all the helpful advice everyone.
-
-
January 25, 2007 at 3:08 pm #2508004
CONTACT LAW ENFORCEMENT
by balthor · about 17 years, 2 months ago
In reply to Intruder Alert How to investigate possible hacking.
You never know you might be seeing the Gestapo or Cosa Nostra.
-
January 27, 2007 at 8:15 am #2507537
Come on
by stimpi · about 17 years, 2 months ago
In reply to Intruder Alert How to investigate possible hacking.
Disable RAS in services
change reg policies to null
Port scan your self, stuff like that
If I had an IP I could find the weeknes
J
-
January 28, 2007 at 4:32 am #2507330
Don’t be silly…
by packetracer · about 17 years, 2 months ago
In reply to Intruder Alert How to investigate possible hacking.
Contacting the authorities will do nothing for you. It used to be that they won’t move a finger unless you have suffered at least $5,000 in damage. That may have changed, but… Either way you have to be certain that you’ve been broken into before you’ll get any help from the authorities.
You’re better off contacting a security company (maybe you have one that you already work with?). They will help you figure out if your servers have been compromised… and will help you prevent a future security problem.
As far as the login attempts, there are a few things here that you should have done to mitigate any issues:
1) The user’s account should have been disabled as soon as she left the company. You did do that, right?
2) Your RAS server is patched with the latest patches, right?
3) Going back in time through the RAS logs. Ideally you kept at least a month worth of your RAS logs. Not many people do that, but you had the foresight to do that, you can go back to see when did the attempts start. They could have been happening while the employee was still with the company.
4) Firewall logs – all models of the Cisco PIX have logging! You will need to setup a syslog server to start receiving the logs from the PIX.
5) Make sure that your employees pick secure passwords and change them once every few months. Can be done through Group Policy. You can also run free cracking tools to check the strength of current passwords.
6) If possible try to figure out how the ex-employee’s user name/password was stollen. Did she always login remotely from her own computer? Let her know that she may have malware/keylogged running on her computer.
Hope that helps!
-
January 29, 2007 at 2:07 pm #2508775
You’re right
by dbell · about 17 years, 2 months ago
In reply to Don’t be silly…
1. The user was disabled the day she left and permanently deleted a few months later.
2. According to the Microsoft Baseline security analyser all the patches are current.
3. We don’t have that much history, but that was the only attempt I see in the last month.
4. I will have to have a word with our firewall consultant about that.
5. The group policies have always been enabled with password length and complexity requirements. I haven’t tried any password crackers.
6. I suspect that the hacker got her name from a website or from directory harvesting spam but I can’t be sure. No other suspicious attempts have been made to access RAS under any username.
You’re right about the authorities, they were’nt very interested.
-
-
January 31, 2007 at 11:38 am #2506678
Mystery Solved
by dbell · about 17 years, 2 months ago
In reply to Intruder Alert How to investigate possible hacking.
I got another call from the user whos name was used. She said that she gave an old laptop to a friend and it still had the vpn connection set up on it. We have her old business laptop but apparently she had a personal laptop that she also used to connect to the system. She says that she deleted all the company documents from that system, but didn’t delete the vpn from network connections. She assures me that this has been done now. It seems like we need better sanitization procedures in place for situations like this but this resolution is preferable to unknown hackers attempting to break in. Thanks for all the help and advice. I have a much better idea what to do next time I see suspicious activity.
-
-
AuthorReplies