[Dshield] Proof of hacker. What do I do?

Ed Truitt ed.truitt at etee2k.net
Mon Aug 26 22:44:47 GMT 2002

First thing is to take the machine off the network.  You may want to make a
backup copy of the disk for "evidence" purposes.

Then, it would be nice to know exactly what you got hit with.  As it is
attacking port 80, I am thinking maybe CRII or Nimda?  Can you identify the
files you are seeing on your system?  Can you provide some names?

You might also want to contact the abuse desk at level3.net
(abuse at level3.net) and give them enough info to allow them to take care of
the IP hacking you.

If you have been Nimda'd, I am afraid that your best bet is to blow off the
system, reformat the drives, reinstall the OS from clean source, APPLY
PATCHES, then try and recover any data you can from known good backup media.
That's pretty well our procedure at the office, because we found that
CRII/Nimda just puts too much crap out there, and if you don't get it all,
it may come back and bite you.

If this is a *nix (or *nix-like) box, could you have been root-kitted?  I
haven't dealt with recovering from a rootkit before, but as I hear that key
system files are no longer trustworthy (if you can't trust "ps", what can
you trust?), then I would guess the same recovery mechanism applies.  Again,
I would make sure that the current security-related patches were in place
before letting that box back on the network.

Of course, you may choose to bring the law-enforcement types in, in which
case I would contact them (after pulling the box off the network) and do
whatever they say.

Hope this helps.  Of course, others may have different opinions. YMMV and
all that good stuff.

Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "Linda" <godawgs47 at ellijay.com>
To: <list at dshield.org>
Sent: Monday, August 26, 2002 9:59 AM
Subject: [Dshield] Proof of hacker. What do I do?

> TCP d2f2t6:nbsession d2f2t6:0 LISTENING
>  TCP d2f2t6:2068 d2f2t6:0 LISTENING
> TCP d2f2t6:2070 d2f2t6:0 LISTENING
> TCP d2f2t6:2073 d2f2t6:0 LISTENING
> TCP d2f2t6:2074 d2f2t6:0 LISTENING
> TCP d2f2t6:2068 unknown.level3.net:80 ESTABLISHED
> TCP d2f2t6:2070 unknown.level3.net:80 ESTABLISHED
> TCP d2f2t6:2073 unknown.level3.net:80 ESTABLISHED
> TCP d2f2t6:2074 unknown.level3.net:80 ESTABLISHED
> UDP d2f2t6:nbname *:*
> UDP d2f2t6:nbdatagram *:*
> UDP d2f2t6:1978 *:*
> What I did was install TCPVIEW. THen I went into netstat. What I think is
> being stopped at my firewall is not being stopped. They are into dos.
> Here is my event log that corresponds with this.
> 2002/08/24 20:50:05 (unknown.Level3.net)
> Port 1074 (TCP)
> 2002/08/24 20:35:48 (unknown.Level3.net)
> Port 1075 (TCP)
> I didn't get it all copies over because there are 8 entries on the
> in a row.
> There are also large files showing up that I don't know what they are.
> Help!
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:

More information about the list mailing list