"ward, bryan" wrote:
>
> Can anyone help me with this problem. Someone has run a portscan program
> and a brute force tool against one of my servers. I traced the intruder back
> to a dns server in Mexico. I called the company in Mexico and the admin
> there was very grateful that I had alerted him but he did not have a clue on
> how to stop it. He told me the DNS server was NT. So I would appreciate any
> help on this as I believe I have done all I can. Please correct me if I am
> wrong.
Point them to:
http://www.geek-speak.net/products/ntaudit1.html
The actual tools can be found here:
http://www.ntobjectives.com/
This will get them started. Job #1 for them should be to figure out
where the attacker is coming at their system from and what has been done
to the machine. If security logging has not been enabled, they should
turn it on ASAP!
A "netstat -a |more" would also be useful to find out if there are any
trojan ports listening. I'm sure by now the attacker has a back way in.
If he can luck out and catch the attacker while they are connected, he
can trace the next hop back. I would even consider setting up an ACL on
the local router to log all traffic to this server to a remote syslogd
system. That way you are not relying on a compromised system for all
your data.
In parallel, tell them to build up a new DNS server. That way they can
swap in a clean box once the intruder has been identified. I would also
strongly suggest an audit of all other systems in their domain. If the
attacker broke into one NT box, chances are they have access to others
as well.
Happy hunting!
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
