|
|
708.686.7285 in
Chicago area 480.422.4314 in
Scottsdale area |
|
[1] |
|
|
Client Information |
Domain01 -
Chicago Illinois |
|
Contact |
President cc: / |
|
Date |
Report -
12/31/2003 Test Dates
11/25/2003-12/31/2003 |
|
Performed By |
Paul F Bergetz
(President Alienconcepts Incorporated) |
|
|
Phone
708-686-7285 Email audigo@alienc.com |
|
|
|
|
|
|
Purpose |
|
|
|
|
|
1-Establish current condition of
infrastructure and data security.
2-Make recommendations based on findings.
|
|
|
The tests were performed at Domain01 Chicago IL from Nov 25 through Dec 11 2003. Follow-up
work and analysis of findings was performed offsite.
Verification
and additional data was found via Terminal Services network connection from
office in Mount Prospect.
|
|
|
|
|
|
|
|
|
Location/Date/Time |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Data Collection |
Day1/2 -Test setup included an NMA ( Network
Management Appliance) and a VLAN
switch ( for subdividing the LAN and WAN) into goups. I setup a portable
(to access the NMA) outside Domain01 workgroups and behind the firewall . This system was
running Windows 2000 Pro and had F Secure Moblie Enterprise Client 5.50
running. A mirrored connection was made to monitor all traffic going in and
out of router behind firewall using etrust 2.05 data was collected for 24
hours.
Ran bandwidth tests . During the test period of 10 mins (per client) from 2-3PM the
bandwidth available was .9(Mbps) out of a maximum of 1.54(Mbps). Measured
between firewall and ISP . The average user maintained 65 (Mbps) throughput
between hlserver2 and there network interface card. This is well within
accepted guidelines. One system "192.168.1.14" appears to have a
bad network interface or cable connection.
The IDS (Intrusion Detection System) was also
run at the same time logging ALL protocol activity
through the Firewall. The total amount of activity logged was 24 hours
encompassing 1.3gb of
data. Because of the large number of viruses that were found no reports
were printed and all IDS
logged activity was stored in its entirety on CD for future reference if
needed.
Port scanning was performed from the inside and outside of the Domain01
infrastructure at various
intervals during the 2 day collection period.
Virus Scanning was performed on random systems after the complete network
was powered down.
Systems were brought back online one by one and a (house AV product) scan
was run. If the systems failed the AV tests they were marked for complete
re-install. As systems were brought back on line It was apparent that the
problems were much deeper than a few viruses causing problems randomly
(network operation became very unstable and untraceable to one source). A more in depth plan was
needed.
|
|
|
|
|
|
|
|
|
Ran bandwidth tests |
|
|
|
|
|
Note:
Underlined items in margin are internal XLS links. |
|
|
|
|
|
|
|
|
Sample IDS Reporting |
|
|
|
|
|
|
|
|
|
|
|
Port Scanning |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Findings |
Based on the port scans , virus scanning and
IDS logs it appears that Domain01 was infiltrated by hackers that took
control of one of the two routers.
This can be verified since the old router can no longer be accessed
by any means without a unknown password. After taking control of the router
they installed a robot / file
transfer program on the server SERVER02 ( see port scanning link ). They
also setup directories on the systems "USER01" and
"USER08" were virus
source code and programming tools were stored ( as well as possible others
). These systems had remote control
and access software installed on them
( as can be seen from the various virus
reports that are attached ) which allowed control of these systems
by the hackers.This caused a continual decrease in network performance and
prompted the addition of the faster
DSL connection. This router was delivered with default password
installed login "admin"
password "admin" and may have also been used for short period of
time.
It is unknown as to whether all of the viruses
that were found came in after this attack, many of them may have been lying
dormant on the systems.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
virus reports |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Corrective Measures |
Dec 02 through Dec 11 2003
1-The approach that was taken involved moving all systems to one switch
connected to the old infiltrated router . The new router was secured and
connected to a second switch with the scanned and cleaned server only on it
forming the "clean" network. This formed two networks one
infected with access to internet only via the old router (which was
infiltrated) and the other not
infected with internet and server access.
2- I was able to save the server install by removing the house AV product
and installing FSecure. I then performed several virus scans to verify
integrity of the system ,which appeared to be fine. The decision was made to move it to the
"clean" switch so that corrected users could use both the server
and internet resources. We also allowed infected / non scanned clients
internet access via the old router.
3-All systems were taken offline one at a time and thoroughly scanned
using FSecure from the DOS level followed by the windows version . It appears that the house AV product did not remove the virus (even though it
found occurrences of the same)
since symptoms still exist.
See virus reports for details. Once the systems passed several complete and
virus free scans they were added to the "clean" network.
4-After scanning passwords were added to each systems local account and
there network logon profiles were removed. (were necessary)
a-Password could be as
simple as
"ABClogoname12" or
"logonameA123"
They can not be the
same as the logon name viruses can guess this to easily.
5-Systems that could not be scanned and/or recovered were formatted
and a new operating system was installed. These systems were then
configured and scanned before being attached to the network.
Intrusion Detection and port scanning was applied at the beginning
, during and
at the end of the corrective process.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Follow Up Measures |
Dec 12 through Dec 31 2003 - Open Items
1-The FSecure product
should be purchased from F-Secure USA. They can be reached at
F-Secure (408) 938-6700 contact : Lisa (sales) . Since there were three
different anti virus products
installed across the network systems and none of them
removed the problems (even if they found it ) FSecure should be the
recommended
house AV product. (since it
found and removed problems the others did not)
2-The remaining systems still
need to be tested before they can be added to network or
used for transferring files
via removable media.
A - Systems in shipping department
B - 192.168.1.14
(old windows 95 system)
C - Portable used by outside sales
3-Passwords aligning with
excepted conventions should be added to all systems that
do not have them.
4-You need to verify what services your current email provider
provides with respect to
virus scanning and spam
control. Virus related problems
should NOT enter your network.
If your mail provider does not
provide this service I can find one for you.
5-All ADMINISTRATIVE logins must be pass worded aligning with
excepted conventions
6-The router must be secured so that the telnet port is not
visible from the outside. This
will require using a secure
connection via terminal service to make changes.
7-Users should be encouraged to
keep files on the server when possible. This does not
help them with
files that are automatically dumped in the windows \My Documents folder.
these should be copied to the
E: drive on systems that have been rebuilt to proper conventions.
Or copied by script to a
Network Management Appliance. ( see 8 )
8-A network management appliance should be installed on the
network ASAP to help in the
following (and keep you
proactive instead of reactive)
A - Disk to Disk backup of critical
files on users systems as well as duplicate backup
of the server data
files. ( 360GB of storage )
B - Remote
monitoring and management of network and resources
C - Daily port scans
D - Bandwidth testing
E - Intrusion Detection logging as dictated by weekly port
scans
F - Network time service ( I noticed a range of almost an
hour between Domain01 systems)
G - The
management appliance can be used as a backup server if the main unit
needs to be taken
offline for updates or repairs.
H - Remote virus scanning
The cost
of this service would be 600.00 to 750.00 per month including hardware
9- The Server02 is issuing a
fan failure error this may or may not be critical however
it needs
to be corrected since it causes the server to stop on reboot and wait for
user input.
A - An IDE drive needs to be added to the
server to store a boot image. This will allow
quick recovery of the
server to a the last imaged state if a failures occurs.
10- Because of attacks like the one that just happened it
would be wise to have an
Electronic Media and Internet
Usage policy in place to protect Domian01 in case employees
or infiltrators use your network and
resources for malicious activities. I can supply you with
boiler plate for your attorney
to attach to your employee handbook.
11- Systems that still indicate any open port irregularities
need to be tested with a "Port
to Process" enumerator. This will verify if these ports are
suspect as still existing transfer
points for Trojan code and
hackers. Cost not included
in monthly service charge.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Remote Management |
Dec 12 through Dec 31 2003
Once the onsite
tasks were complete I moved on to remote management of the
infrastructure.
This was done by installing various management tools on SERVER02 and
opening up port
3389 in the router to allow terminal services access to the network. The following software was
installed in user account "manage": ( all of this software is
licensed to alienconcepts inc. )
1-Enterprise user and resource management
2-Port scanner
3-Network performance testing
4-Port to process monitoring
5-Trojan Detection System
6-Enterprise scheduler
7-File comparison
8-Mail notification
9-Intrusion Detection
For the past 17 days I have been receiving and reviewing data on port
scans, port to process
spying and virus scanning info. THIS SERVICE WILL STOP ON JAN 11 2004
.
There are 3 options I can offer you after that
time:
1-Install the NMA ( network
management appliance ) for $ 600 a month which includes all
of the services plus Disk to Disk backup of your data daily.
2-Leave the software
on the SERVER02 and continue with remote management for
$ 500 a month. (this is acceptable
however, it places an undo load on a company data resource)
3-Remove everything and let your staff worry
about it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
On Going Procedures |
The following on going procedures should be followed to
prevent future problems:
1-No systems or resources
should be added to network without first being scanned for any
possible virus infection with
chosen AV product. ( this includes systems moved between
office and home or network
resources that do not have EMBEDDED operating systems
such as printing or shipping resources)
2-Loggin in to the network from
offsite must be secured.
A -If you need to log into a system via
a modem the remote client must be secured
using a callback or
access list.
B -If you need to log into a system via the internet. You
will need a fixed IP that
will be recorded into the access list on host
system. You will also need to have
port mapping added in
router for this service.
C -An alternative to the above is setting up a VPN for each
remote client /
host relationship
3-Inbound Modems and other
remote dial-up devices need to be logged in the
admin\system\network.xls
document on server.
4-All email needs to be scanned
indefinitely.
A - This is the most probable way of eliminating getting
infected again.
5-Turn off the preview pane in Outlook
Express and Outlook.
A - This way you can see all your mail without having any
item open automatically (with
a potential problem
of releasing a virus).
6-User accounts
should be kept in a default security mode. This may be inconvenient when
you
need to install software or
device drivers however, it ensures that only the administrator
can access these functions.
7-Users should be asked not to
download and install non work related programs from the
internet. (this includes screen
savers which are one of the main causes of viruses)
8-Log off procedures
need to be implemented and followed as noted:
A - Windows 2000/XP system users need to press "Ctrl Alt
Del" and lock there system
when leaving there
workstations for short periods of time.
B - Windows 2000/XP users should press
"Crtl Alt Del" and LogOff at days end.
C - Windows 95/98 systems are not secure
no matter what log off procedure you use.
They must be shut
off when not in use.
9-Do not use any Instant
Messenger service. They have many security holes. (For safety do
not use any instant
messenger service)
10-Do not add Wireless access
points to your network.
11-Do not accept files via
email or media WITHOUT first scanning for viruses
12-Users should be discouraged
from using internet services such as "Radio or
multimedia services"
since they have excessive bandwidth requirements.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Summary |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|