It was bound to happen - suspected hack
Dustin Decker
dustin.decker at 1on1security.com
Thu Oct 21 11:17:44 CDT 2004
> -----Original Message-----
> From: kclug-bounces at kclug.org [mailto:kclug-bounces at kclug.org] On Behalf
> Of Brian Kelsay
> Sent: Thursday, October 21, 2004 10:58 AM
> To: kclug at kclug.org
> Subject: Re: It was bound to happen - suspected hack
>
> Block the IPs of the attackers specifically in your iptables rules. Make
> sure the users that they attempted to log on w/ are disabled, password
> changed or non-real users. Change root password. It looks like you are
> already working to allow only your IP to ssh, that's good. Check the
> other boxes and see if they have been compromised. You should also
> contact the ISP they are coming from and inform them of the break-in if
> they did in fact get in to your server.
>
> This is where a separate logging firewall w/ snort would help you. You
> could see how many and what kind of attack attempts were made before they
> got in.
Amen to that. And if you wind up in court, it's pretty handy for an expert
witness to be able to point to the actual packets themselves. I log, and
archive the entire data stream in/out of my network for this, and other
purposes.
My primary purpose is to be able to replay data for analysis. This could be
to facilitate troubleshooting, but that's rare. More often than not, I want
to "see what really happened" on the wire. The second good reason for this
(Nimda/Code Red started me down this road) is the ability to replay the
network stream through an alternate Snort configuration, with new signatures
in place. This way, when a zero-day monster occurs, I can go back as far as
I like to look for the attack once I have a good signature in place.
Dustin
More information about the Kclug
mailing list