Announcement

Collapse
No announcement yet.

Hacked - Need to Discover Damage Done

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hacked - Need to Discover Damage Done

    Setup - Small network with: 1 Win 2003 Server DC + Multiple Win XP Workstations behind a NeatGear router.

    I noticed in my router's logs a message similar to the following:
    [LAN access from remote] from 123.122.97.185:12932 to 192.168.1.3:58315, Wednesday, February 25,2009 21:02:06

    The "from" were not from the same IP, but they are mostly from the same geographical area. The attack is however always "to" the same workstation in my network.

    I have dissabled remote access to the router, so I'm not sure what this meant. I goggled it and found out that someone was accessing the LAN via something called UPNP hack. Below is the link of where I found info.
    http://www.tomshardware.com/forum/25...-remote-access.

    I turned UPNP off. Now I need to discover:
    1) damage that was done - did they obtain any files from the server, did they access personal files in the server, did they download any files from the server, etc.
    2) why were they accessing the LAN always via the same client IP. I do not want to ask any questions to the user of that workstation until I gather more information.

    Please assist with as much info as possible.

  • #2
    Re: Hacked - Need to Discover Damage Done

    Originally posted by HotDay2222 View Post
    1) damage that was done - did they obtain any files from the server, did they access personal files in the server, did they download any files from the server, etc.
    Did you have object access logging turned on? Did you have object access turned on in group or local policies? Was it also turned on for specific files and folders? If not, it's virtually impossible to tell what files were accessed or transferred.
    Originally posted by HotDay2222 View Post
    2) why were they accessing the LAN always via the same client IP. I do not want to ask any questions to the user of that workstation until I gather more information.
    Because that computer is the one that is compromised. Most likely, the router is not the compromised portion of the network, the client PC is. It must have been infected with some kind of trojan that is listening for connections and has used UPNP (one of the stupidest inventions in all of technology) to bridge the WAN with the LAN.

    Sad to say, the only sure solution is to backup the important files on the infected PC and reformat it.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: Hacked - Need to Discover Damage Done

      Asked a friend that's involved with computer forensics to check this thread out and here's what he had to say:

      Could sort by last accessed times and see if they correlate with log entries. Might want to use a forensic boot disc such as Helix so the files aren't touched while he's looking at them. This way you could also looked for deleted files. Detecting whether files were copied can be tricky, unless done via ftp with logging.

      If it was a server, there may be logging enabled and monitoring (which would be very helpful). As for the workstation, check for bittorrent software or malware. He doesn't have to make an issue with the employee... just that the logs showed something from that workstation and they need to check out the workstation. If this is an employee, it might be best to have a forensics specialist take a forensic image in case it transpired to a law suit or something.
      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Hacked - Need to Discover Damage Done

        Id start by checking that PC for malware. Ports above 1024 are generally considered dynamic. Anything that high is open to abuse as Bit Torrent software generally operates at the higher range to avoid traffic shaping by ISP's as well as random ports to mask the traffic. If its on the same port there must be something on that PC advertising itself on that port. Do a Netstat -b on the host and see what ports are attached to which process's or use Process explorer along with Active Ports to do the same.

        UPNP is often a protocol that gets hacked because its support ease of use as well as data communication.

        Beef up your security by creating the neccesary access rules on the firewall that only allow clients to communicate on port 80 and 443 outbound and that is it. (Or better still get a proxy). Clients PC's should not have the ability to send any data outside of your network unless categorically specified. Ensure your firewall is capable of IDS/IPS or some DPI. Nows a very good time to reassess your networks security.

        Comment


        • #5
          Re: Hacked - Need to Discover Damage Done

          scurlaruntings, sorry, I did not express myself clearly and accurately.

          Not all the computers connected to the router are members of the domain. Some of them are operating in workgroup mode - is that a problem/risk? Actually, the computer that caused the problems was not a client of the domain; it was in workgroup mode, so I can't control anything.

          The accessed ports were actually in the above 50,000....if I remember correctly some of the ports used were 50,023 and something close to it.

          I'm not sure what software the user is running that is causing this, and I can't yet confront the user.

          Thanks for assistance, will think on how to implement your ideas while keeping the setup the way it is (domain w/ workgroup in the same network).

          Comment


          • #6
            Re: Hacked - Need to Discover Damage Done

            The fact there in a workgroup doesnt pose any additional risk other than you cant manage them from the domain unless you have their credentials and the fact that the users will more than likely have local administrator rights.

            Unless your firewall already has a logging collection/syslog feature as well as being capable of a deep level packet inspection theres not much you'll be able to find out unless you get access to that persons PC.

            Comment


            • #7
              Re: Hacked - Need to Discover Damage Done

              Originally posted by scurlaruntings View Post
              Beef up your security by creating the neccesary access rules on the firewall that only allow clients to communicate on port 80 and 443 outbound and that is it...Clients PC's should not have the ability to send any data outside of your network unless categorically specified.
              How to I implement this recommendation if not all the computers in the network are part of the domain, and some are running as workgroup? Am I correct in guessing that this cannot be implemented in my situation?

              Comment


              • #8
                Re: Hacked - Need to Discover Damage Done

                How the ACL is defined is depedant on your firewall. This though is normally done via IP address. As long as you have the IP address or subnet of the clients you can create the neccesary rule on your firewall irrespective of wether they are in a domain or a workgroup. As long as the gateway of last resort is your firewall and they are within the IP or subnet specified the rule will apply.

                Comment


                • #9
                  Re: Hacked - Need to Discover Damage Done

                  FYI he's talking about a physical firewall device / ISA / etc, not the Windows Firewall on each computer.
                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: Hacked - Need to Discover Damage Done

                    Originally posted by Wired View Post
                    FYI he's talking about a physical firewall device / ISA / etc, not the Windows Firewall on each computer.
                    Thank you for clarifying, otherwise I'd follow up with more rookie questions

                    scurlaruntings thank you for your assistance and patience.

                    Now last questions ...is my firewall device placed between my router and modem, or is router placed between modem and firewall?

                    I thought my router also acted as firewall...I guess it's not good enough?

                    Comment


                    • #11
                      Re: Hacked - Need to Discover Damage Done

                      Originally posted by Wired View Post
                      FYI he's talking about a physical firewall device / ISA / etc, not the Windows Firewall on each computer.
                      I wasnt referring to the Windows firewall.

                      Comment


                      • #12
                        Re: Hacked - Need to Discover Damage Done

                        Originally posted by HotDay2222 View Post
                        Thank you for clarifying, otherwise I'd follow up with more rookie questions

                        scurlaruntings thank you for your assistance and patience.

                        Now last questions ...is my firewall device placed between my router and modem, or is router placed between modem and firewall?

                        I thought my router also acted as firewall...I guess it's not good enough?
                        Your modem will be infront of your router and your routers gateway will be the WAN IP of the modem upstream. In other words Internet>Modem>Router.
                        Last edited by scurlaruntings; 18th October 2009, 19:03.

                        Comment

                        Working...
                        X