Re: [OT] - HELP PLEASE we've been hacked.

["David Buckley" <db@xxxxxxxxxxx>]

As usual, I've only made myself half clear :-)

When I say you are "wedded to MS Server", I mean that thing that
runs CBus gateway and GeoVision, and am making no reference to IIS.

Now IIS is by far and away the most risky thing you can run for an
exposed webserver (unless you have people, skills, time and money to
keep it secured), and generally, as others have noted, dumping IIS
and replacing it with <anything_else> gives an improvment in
security.

None-the-less, exposing anything hosted on a microsoft server is
risky for two reasons.  (a) MS servers are the most frequently
attacked, and extensively compromised, and (b) exposed MS servers
tend to be integrated with your other servers and workstations, and
a compromised server can be used to attack your other machines.
That is the real scare - having your accounts, source code all
published...  This is why exposed servers should not be in the same
domains or trusted as its makes extensions of such attacks trivial,
as the compromised box has rights elsewhere on the network.

Although no-one has yet, in case I'm accused of MS bashing - not
only is there history here, but MS softwares security problems
almost inevitable, given that (a) MS are the biggest target, (b)
lots of people hate MS, (c) MS have always gone for functionality
first, second and third, and (d) as noted by Mr Harrison, commercial
pressures dictate a "sell today, fix tomorrow" attitude amongst
manufacturers.

If you really dont need IIS and you disable it (and everything else
unneeded on the server), your levels of risk from running a MS
server are reduced, but given that the stuff you are exposing is
relatively niche, I'd wager its even less secure than IIS (a scary
concept indeed), it just hasn't been put to the test yet, 'cos no-
one has been bothered to use it as an attack vector.

By the way; you can use the 'netstat -a' command to see what ports
are open on your server - anything marked "listening" should be
explained, it emans you are running a seevice.

The Vigor 2600 does indeed support a limited concept of a DMZ.  Its
a separate IP subnet on the same physical network.  Its a start, as
it separates IP traffic from exposed servers and internal machines
on the office LAN.  But they aren't separate at all from stuff that
isnt subnet constrained, such as ARP requests.  Using your
compromised machine as a bridgehead, an ARP probe will detect
the "other" subnet, and then its just a matter of configuring a
second IP address on the interface and the attacker is off....  For
this reason I dont get too excited about the pseudo-DMZ approach.
Its a free thing to offer in software, whereas a separate physical
port would put the price up.

What I would recommend you do as a better step is to not only use
pseudo-DMZ, but put another router box "between" the office LAN
with
its DMZ and your exposed server.  As you are using specialist
protocols only, a stateful inspection box like the zywall wont be
used to its best advantage, so any two port carble router with
access control lists will do - if they are still around a ZyXEL
Prestige 310 would do, as I think would a Vigor V2104P - it claims
to have packet level filtering, which is what you need, and is only
79 of your earth pounds.  A small price to pay for orders of
magnitude more security!






UK Home Automation Meet 2004 - BOOK NOW!
http://www.ukha2004.com

http://www.automatedhome.co.uk

Member Offers - http://www.freeranger.co.uk/ukha