Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Should One Respond to a Network Break In?

Posted by Cliff on from the set-phasers-to-WHAT-cap'n dept.

Jety asks: "I am the sole IT support for a medium sized residential real estate office. It has a network of one main server, 10 office workstations, and another 40 or so agent's personal computers. I discovered via logs that recently someone made about 50 remote login attempts to the server, guessing at passwords, but it would appear that they were not able to gain access. They did, however, leave an IP address in the logs. It turns out to be an Exchange server for another business in the same city. What is an appropriate response to this sort of failed break-in attempt? How seriously should one react? How should it be presented to management, and should you encourage them to over or under react? Should the other business, whose server was used to launch the attack, be informed? Should you try to surveil them first to learn about who is doing their tech work? With what tone should they be approached and/or accused? What would a suitable response from that company entail?"

7 of 96 comments (clear)

  1. It probably isn't even them by Stone+Rhino · · Score: 5, Informative

    You shouldn't start out accusatorily, because it's most likely that they're not the ones attempting the breakin. It's more likely that their box has been hijacked and is being used as a proxy to launch attacks against your computer for someone else.

    After all, who uses an exchange server as their terminal to log in to other computers? If it was one of the desktops, then it would make sense that they were attacking.

    --


    Remember, there were no nuclear weapons before women were allowed to vote.
  2. Don't overreact by Nos. · · Score: 4, Informative

    Start off by blocking remote logins (ssh?) from anywhere except where you want to allow people to log in from. Second, I would send a polite, email to their tech contact, or if you can't find that, regular post mail to the company. Don't overreact. Their are a lot of ssh worms out there. I have one machine where I watch for these kinds of things. I see at least 3 or 4 worms hitting my box a day.

    1. Re:Don't overreact by Nos. · · Score: 5, Informative

      Speaking of which, I was just chatting with a buddy who has a Brute Force rule setup in IP tables. Too many connections from a single IP within a set amount of time creates a temporary ban of that IP.

      Here's what he wrote to an IRC channel we were on (this is untested but should be close):

      • iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -j SSH_Brute_Force
      • iptables -A SSH_Brute_Force -m recent --name SSH --set --rsource
      • iptables -A SSH_Brute_Force -m recent ! --rcheck --seconds 60 --hitcount 4 --name SSH --rsource -j RETURN
      • iptables -A SSH_Brute_Force -m limit --limit 3/min -j LOG --log-prefix "SSH Brute Force Attempt: "
      • iptables -A SSH_Brute_Force -p tcp -j REJECT
      Again, I haven't tried this yet, but generally speaking, 4 ssh connects within 60 seonds on eth0 will result in a 3 minute ban - I think.
    2. Re:Don't overreact by Mercury2k · · Score: 2, Informative

      I would have to advise AGAINST email contact. Remember, if their email server is compromised, chances are the person you engage in converstaion with is infact the person who is trying to break into your machine, and thus will go unreported to the people who can do something about the problem. A better solution is to do a whois on the domain name and try to get a phone number of the company involved. Also, dont phone just one contact number is multiple numbers are givin. If the admin contact is actually trying to break into your machine, they can simply play dumb and just stop attacking your machine since they now know you are on to them. You are better off also talking to the CEO or the billing contact, since this would involve two seperate people and the odds are that two people wouldnt be working togethere because of legal issues. Remember, a crime is better to commit when less people are involved since telling or approaching someone else about criminal activities puts the initial person at risk of being ratted out.

  3. Diplomacy by Penguin+Programmer · · Score: 2, Informative

    My guess is that it's that script trying to bruteforce random SSH servers, as mentioned on /. a couple weeks ago. My server here at work has been hit too, although the attacking machines were in Europe and Korea in my case. I emailed the owners of the IP blocks the attacks came from and have left it in their courts. My system is secure (I'm the only one who can login via SSH and I have a damn good password), so there was no harm done.

    I think before you jump to any conclusions about it being malicious on the part of the other company, you should call the tech there and let him/her know what's happening. If it is indeed a script then there's no harm done and the other tech can take care of fixing their system. If it was actually a malicious attack, then you can try and figure out who is responsible.

  4. Re:Call/email them by Aeiri · · Score: 4, Informative

    It might be not even them due to spoofing, but most likely, it is unauthorized use of their machine.

    How would you go about brute forcing a server using IP spoofing? With IP spoofing, you don't get the packets to return to you, they get returned to the server, then dropped. No complete TCP connection can be made.

    Therefore, SSH would never get the packet to begin with, and even if it did, and got your full packet, it wouldn't send the "success" or "failure" to you.

    That computer is obviously either compromised (most likely), or being used by authorized personnel to launch this attack (very unlikely).

  5. From a grizzled old security dude.. by Anonymous Coward · · Score: 2, Informative

    "You must be new here" is what comes to mind.. I get hundreds of these per HOUR on most of my boxes. It could be anything: a curious worker, a hacker, a virus, a script gone bad.

    First thing, check your important file checksums, run tripwire, or whatever. If you don't have a tripwire-like system set up, or a backup set you can compare against, you've got another problem, but let's assume somehow, you are sure your files were not compromised.

    Once you're sure no damage was done, relax, the system did what it's supposed to and rejected the traffic. Do a quick audit to make sure everything is up to date, you're not running any insecure junk, no version numbers are revealed, IDS signatures are up do date, and so on.

    It's likely just a virus or a hacked box.

    My algorithm for dealing with this is:

    if self.friend_of? other_business.admin
    self.contact other_business.admin
    else
    document anomoly
    possibly_firewall other_business.ips
    get_back_to_work!
    end

    In other words, it's NOT YOUR PROBLEM if the other guy is hacked. In fact YOU could be blamed for it (yes, this shit happens, people are idiots). DO NOT portscan or telnet or attempt to learn anything about the other box (which you already did, oops).

    Be sure to DOCUMENT everything. If you visit their web site, document it. If you call them, document who you talked to. Just document everything, even if you just file it away.

    Whether or not you contact management is up to your business culture, position, etc. In my opinion, it's your job to deal with this stuff and if you "escalate" every little port scan, you're just making a lot of useless noise. However if the other business is a competitor of yours, or there's some business impact here, or they've been doing it for months, you should tell your management.