The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024


[Message Prev][Message Next][Thread Prev][Thread Next][Message Index][Thread Index]

RE: Re: [OT] - HELP PLEASE we've been hacked.


  • Subject: RE: Re: [OT] - HELP PLEASE we've been hacked.
  • From: "Dean Barrett" <dean@xxxxxxxxx>
  • Date: Wed, 14 Apr 2004 15:25:40 +0100

Thanks again David.

I'm going to print out your two replies and study them, and try and get my
head around your suggestions. It is now blindingly obvious to me that we
need to spend money to make ourselves more secure.

I'm must admit to living in blissful ignorance that our little server would
never get spotted in the great big internet thing :(



Dean.






Try our amazing lighting demonstration online now, and watch in
realtime via our webcam. Click below and follow the CBus links.
www.rolec.net
dean@xxxxxxx
Tel: 01908-210677
Fax: 01908-210678
The information in this internet E-mail is confidential and is intended
solely for the addressee. Access, copying or re-use of information in it by
anyone else is unauthorised. Any views or opinions presented are solely
those of the author and do not necessarily represent those of The Rolec
Group or any of its affiliates. If you are not the intended recipient
please
contact wrongmail@xxxxxxx

-----Original Message-----
From: David Buckley [mailto:db@xxxxxxx]
Sent: 14 April 2004 10:08
To: ukha_d@xxxxxxx
Subject: [ukha_d] Re: [OT] - HELP PLEASE we've been hacked.


As usual, I've only made myself half clear :-)

When I say you are "wedded to MS Server", I mean that thing that
runs CBus gateway and GeoVision, and am making no reference to IIS.

Now IIS is by far and away the most risky thing you can run for an
exposed webserver (unless you have people, skills, time and money to
keep it secured), and generally, as others have noted, dumping IIS
and replacing it with <anything_else> gives an improvment in
security.

None-the-less, exposing anything hosted on a microsoft server is
risky for two reasons.  (a) MS servers are the most frequently
attacked, and extensively compromised, and (b) exposed MS servers
tend to be integrated with your other servers and workstations, and
a compromised server can be used to attack your other machines.
That is the real scare - having your accounts, source code all
published...  This is why exposed servers should not be in the same
domains or trusted as its makes extensions of such attacks trivial,
as the compromised box has rights elsewhere on the network.

Although no-one has yet, in case I'm accused of MS bashing - not
only is there history here, but MS softwares security problems
almost inevitable, given that (a) MS are the biggest target, (b)
lots of people hate MS, (c) MS have always gone for functionality
first, second and third, and (d) as noted by Mr Harrison, commercial
pressures dictate a "sell today, fix tomorrow" attitude amongst
manufacturers.

If you really dont need IIS and you disable it (and everything else
unneeded on the server), your levels of risk from running a MS
server are reduced, but given that the stuff you are exposing is
relatively niche, I'd wager its even less secure than IIS (a scary
concept indeed), it just hasn't been put to the test yet, 'cos no-
one has been bothered to use it as an attack vector.

By the way; you can use the 'netstat -a' command to see what ports
are open on your server - anything marked "listening" should be
explained, it emans you are running a seevice.

The Vigor 2600 does indeed support a limited concept of a DMZ.  Its
a separate IP subnet on the same physical network.  Its a start, as
it separates IP traffic from exposed servers and internal machines
on the office LAN.  But they aren't separate at all from stuff that
isnt subnet constrained, such as ARP requests.  Using your
compromised machine as a bridgehead, an ARP probe will detect
the "other" subnet, and then its just a matter of configuring a
second IP address on the interface and the attacker is off....  For
this reason I dont get too excited about the pseudo-DMZ approach.
Its a free thing to offer in software, whereas a separate physical
port would put the price up.

What I would recommend you do as a better step is to not only use
pseudo-DMZ, but put another router box "between" the office LAN
with
its DMZ and your exposed server.  As you are using specialist
protocols only, a stateful inspection box like the zywall wont be
used to its best advantage, so any two port carble router with
access control lists will do - if they are still around a ZyXEL
Prestige 310 would do, as I think would a Vigor V2104P - it claims
to have packet level filtering, which is what you need, and is only
79 of your earth pounds.  A small price to pay for orders of
magnitude more security!






UK Home Automation Meet 2004 - BOOK NOW!
http://www.ukha2004.com

http://www.automatedhome.co.uk

Member Offers - http://www.freeranger.co.uk/ukha



----------------------------------------------------------------------------
--

UKHA_D Main Index | UKHA_D Thread Index | UKHA_D Home | Archives Home

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.