708.686.7285 in Chicago area                                                 480.422.4314 in Scottsdale area
  Client Information        Domain01 - Chicago  Illinois
Contact        President  cc:  /
Date        Report - 12/31/2003   Test Dates 11/25/2003-12/31/2003
Performed By        Paul F Bergetz (President Alienconcepts Incorporated)
       Phone 708-686-7285  Email  audigo@alienc.com
1-Establish current condition of infrastructure and data security.
2-Make recommendations based on findings.
The tests were performed at Domain01  Chicago IL from Nov 25  through Dec 11 2003. Follow-up
work and analysis of findings was performed offsite.

Verification and additional data was found via Terminal Services network connection from office in Mount Prospect.
  Data Collection
Day1/2 -Test setup included an NMA ( Network Management Appliance)  and a VLAN switch ( for subdividing the LAN and WAN) into goups. I setup a portable (to access the NMA) outside Domain01 workgroups and  behind the firewall . This system was running Windows 2000 Pro and had F Secure Moblie Enterprise Client 5.50 running. A mirrored connection was made to monitor all traffic going in and out of router behind firewall using etrust 2.05 data was collected for 24 hours.
Ran bandwidth tests . During the test period of 10 mins (per client) from 2-3PM the bandwidth available was .9(Mbps) out of a maximum of 1.54(Mbps). Measured between firewall and ISP . The average user maintained 65 (Mbps) throughput between hlserver2 and there network interface card. This is well within accepted guidelines. One system "" appears to have a bad network interface or cable connection.

The IDS (
Intrusion Detection System) was also run at the same time logging ALL protocol activity
through the Firewall. The total amount of activity logged was 24 hours encompassing 1.3gb of
data. Because of the large number of viruses that were found no reports were printed and all IDS
logged activity was stored in its entirety on CD for future reference if needed.

Port scanning was performed from the inside and outside of the Domain01 infrastructure at various
intervals during the 2 day collection period.

Virus Scanning was performed on random systems after the complete network was powered down.
Systems were brought back online one by one and a (house AV product) scan was run. If the systems failed the AV tests they were marked for complete re-install. As systems were brought back on line It was apparent that the problems were much deeper than a few viruses causing problems randomly (network operation became very unstable and  untraceable to one source). A more in depth plan was needed.


Ran bandwidth tests
Note: Underlined items in margin are internal XLS links.
Sample IDS Reporting
Port Scanning
Based on the port scans , virus scanning and IDS logs it appears that Domain01 was infiltrated by hackers that took control of one of the two routers.  This can be verified since the old router can no longer be accessed by any means without a unknown password. After taking control of the router they installed a  robot / file transfer program on the server SERVER02 ( see port scanning link ). They also setup directories on the systems "USER01" and "USER08"  were virus source code and programming tools were stored ( as well as possible others ).  These systems had remote control and access software installed on them  ( as can be seen from the various virus reports that are attached )  which allowed control of these systems by the hackers.This caused a continual decrease in network performance and prompted the addition of the faster  DSL connection. This router was delivered with default password installed   login "admin" password "admin" and may have also been used for short period of time.

It is unknown as to whether all of the viruses that were found came in after this attack, many of them may have been lying dormant on the systems.
virus reports
  Corrective Measures
Dec 02 through Dec 11 2003
1-The approach that was taken involved moving all systems to one switch connected to the old infiltrated router . The new router was secured and connected to a second switch with the scanned and cleaned server only on it forming the "clean" network. This formed two networks one infected with access to internet only via the old router (which was infiltrated)  and the other not infected with internet and server access.
2- I was able to save the server install by removing the house AV product and installing FSecure. I then performed several virus scans to verify integrity of the system ,which appeared to be fine.  The decision was made to move it to the "clean" switch so that corrected users could use both the server and internet resources. We also allowed infected / non scanned clients internet access via the old router.

3-All systems were taken offline one at a time and thoroughly scanned using FSecure from the DOS level followed by the windows version .  It appears that the house AV product  did not remove the virus (even though it found occurrences of the same)  since symptoms still exist.  See
virus reports for details. Once the systems passed several complete and virus free scans they were added to the "clean" network.
4-After scanning passwords were added to each systems local account and there network logon profiles were removed. (were necessary)
            a-Password could be as simple as  "ABClogoname12"  or "logonameA123"
            They can not be the same as the logon name viruses can guess this to easily.

5-Systems that could not be scanned and/or recovered were formatted and a new operating system was installed. These systems were then configured and scanned before being attached to the network.
Intrusion Detection and port scanning was applied at the beginning , during and
at the end of the corrective process.

  Follow Up Measures
Dec 12 through Dec 31 2003 - Open Items

 1-The FSecure product should be purchased from F-Secure USA. They can be reached at
     F-Secure (408) 938-6700  contact : Lisa  (sales) . Since there were three
    different anti virus products installed across the network systems and none of them
    removed the problems (even if they found it ) FSecure should be the recommended
    house AV product. (since it found and removed problems the others did not)
    2-The remaining systems still need to be tested before they can be added to network or
    used for transferring files via removable media.
        A    - Systems in shipping department
B    - (old windows 95 system)
        C    - Portable used by outside sales

    3-Passwords aligning with excepted conventions should be added to all systems that
    do not have them.

4-You need to verify what services your current email provider provides with respect to
    virus scanning and spam control. Virus related  problems should NOT enter your network.
    If your mail provider does not provide this service I can find one for you.

    5-All ADMINISTRATIVE  logins must be pass worded aligning with excepted conventions
6-The router must be secured so that the telnet port is not visible from the outside. This
    will require using a secure connection via terminal service to make changes.

    7-Users should be encouraged to keep files on the server when possible. This does not
    help them with files that are automatically dumped in the windows \My Documents  folder.
    these should be copied to the E: drive on systems that have been rebuilt to proper conventions.
    Or copied by script to a Network Management Appliance. ( see 8 )
8-A network management appliance should be installed on the network ASAP to help in the
    following (and keep you proactive instead of reactive)
        A    - Disk to Disk backup of critical files on users systems as well as duplicate backup
            of the server data files. ( 360GB of storage )
        B    - Remote monitoring and management of network and resources
        C    - Daily port scans
        D    - Bandwidth testing
        E    - Intrusion Detection logging as dictated by weekly port scans
        F    - Network time service ( I noticed a range of almost an hour between Domain01 systems)
        G   - The management appliance can be used as a backup server if the main unit
             needs to be taken offline for updates or repairs.
        H  - Remote virus scanning
        The cost of this service would be 600.00 to 750.00 per month including hardware

     9- The Server02 is issuing a fan failure error this may or may not be critical however
     it needs to be corrected since it causes the server to stop on reboot and wait for user input.
A   - An  IDE drive needs to be added to the server to store a boot image. This will allow
            quick recovery of the server to a the last imaged state if a failures occurs.

10- Because of attacks like the one that just happened it would be wise to have an
     Electronic Media and Internet Usage policy in place to protect Domian01 in case employees
     or infiltrators use your network and resources for malicious activities. I can supply you with
     boiler plate for your attorney to attach to your employee handbook.

11- Systems that still indicate any open port irregularities need to be tested with a "Port
     to  Process" enumerator. This will verify if these ports are suspect as still existing transfer    
     points for Trojan code and hackers.  Cost not included
     in monthly service charge.
  Remote Management
 Dec 12 through Dec 31 2003

Once the onsite tasks were complete I moved on to remote management of the infrastructure.
This was done by installing various management tools on SERVER02 and opening up port
3389 in the router to allow terminal services access to the network.  The following software was
installed in user account "manage": ( all of this software is licensed to alienconcepts inc. )

1-Enterprise user and resource management
2-Port scanner
3-Network performance testing
4-Port to process monitoring
5-Trojan Detection System
6-Enterprise scheduler
7-File comparison
8-Mail notification
9-Intrusion Detection

For the past 17 days I have been receiving and reviewing data on port scans, port to process
spying and virus scanning info. THIS SERVICE WILL STOP ON JAN 11 2004 .

There are 3 options I can offer you after that time:

1-Install the NMA  ( network management appliance ) for $ 600 a month which includes all
of the services plus Disk to Disk backup of your data daily.
2-Leave the software on the SERVER02 and continue with remote management for
 $ 500 a month. (this is acceptable however, it places an undo load on a company data resource)
3-Remove everything and let your staff worry about it.

  On Going Procedures
    The following on going procedures should be followed to prevent future problems:

    1-No systems or resources should be added to network without first being scanned for any
    possible virus infection with chosen AV product. ( this includes systems moved between
    office and home or network resources that do not have EMBEDDED operating systems
    such as printing or shipping resources)
    2-Loggin in to the network from offsite must be secured.
        A    -If you need to log into a system via a modem the remote client must be secured
            using a callback or access list.
        B    -If you need to log into a system via the internet. You will need a fixed IP that
            will be recorded into the access list on host system. You will also need to have
            port mapping added in router for this service.
        C    -An alternative to the above is setting up a VPN for each remote client /
            host relationship
    3-Inbound Modems and other remote dial-up devices need to be logged in the
    admin\system\network.xls document on server.
    4-All email needs to be scanned indefinitely.
        A    - This is the most probable way of eliminating getting infected again.
    5-Turn off the preview pane in Outlook Express and Outlook.
        A    - This way you can see all your mail without having any item open automatically (with
                a potential problem of releasing a virus).
    6-User accounts should be kept in a default security mode. This may be inconvenient when you
    need to install software or device drivers however, it ensures that only the administrator
    can access these functions.
    7-Users should be asked not to download and install non work related programs from the
    internet. (this includes screen savers which are one of the main causes of viruses)
    8-Log off procedures need to be implemented and followed as noted:
        A    - Windows 2000/XP system users need to press "Ctrl Alt Del" and lock there system
                when leaving there workstations for short periods of time.
        B    - Windows 2000/XP users should press "Crtl Alt Del" and LogOff at days end.
        C    - Windows 95/98 systems are not secure no matter what log off procedure you use.
                They must be shut off when not in use.

    9-Do not use any Instant Messenger service. They have many security holes. (For safety do
    not use any instant messenger service)
    10-Do not add Wireless access points to your network.

    11-Do not accept files via email or media WITHOUT first scanning for viruses

    12-Users should be discouraged from using internet services such as "Radio or
     multimedia services" since they have excessive bandwidth requirements.

PFB: Analysis Report

This reoprt is not part of the standard data collection base price. Price will range from 4 to 20 hours work at hourly rate depending on the complexity of the analysis.