Hi security experts,
below some Email exchange as reaction to several attacks to our systems. My
question: did I go to far? Would you agree In advising vulnarabilities on
the attackeres systems. Any further comments?
Bye
Marek
-----Ursprüngliche Nachricht-----
Von: Stiefenhofer, Marek ECOFIS
Gesendet am: Freitag, 24. November 2000 10:03
An: 'attacker@somewhere.com'
Betreff: AW: ABUSE: Attacks by one of your hosts
Warne,
thank you for your kind interest. I am responsible for IT-Security in one of
Germanys largest non-public wide area networks. So you received my Email out
of standard procedure (we use Intrusion-Detection-Systems and alert most
hacking attempts).
I'm quite sure that our security is well set up. But you should consider
implementing some more security systems and concepts to your site. The
biggest problem you have is: your webservers are not protected by any kind
of firewall. This offers attackers lots of possibilties. On webservers are
usually more services running than just the http-service. As you don't use
firewalls, everyone can check for this services and even use it and if
someone has access to your server he can install new services such as trojan
horses etc.
here's an actual check of 123.123.123.123:
21/tcp open ftp -> Microsoft FTP
Possibility for
Denial-of-Service Attacks
25/tcp open smtp -> Mail, no problem
53/tcp open domain -> DNS, maybe a problem
80/tcp open http -> Your IIS still
provides possibilities to
remotely write
files and execute commands
110/tcp open pop-3 -> POP3, DoS
125/tcp filtered locus-map
134/tcp open ingres-net -> don't know
135/tcp filtered loc-srv
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
157/tcp filtered knet-cmp
443/tcp open https -> secure http, no problem
593/tcp filtered http-rpc-epmap
1030/tcp open iad1 -> don't know
5631/tcp open pcanywheredata -> either you use remote
administration,
or someone
installed PC-Anywhere as trojan horse
8080/tcp open http-proxy -> http-proxy
12345/tcp open NetBus -> !!!!!NETBUS!!!!! This is
a well-known trojan horse.
Seems that
someone has broken into your system
65301/tcp open pcanywhere -> see above
As you can see your technical staff has closed all netbios ports. These
services are used by Windows-Systems for their specific network
communication (called SMB). That's good effort but not enough. As I tried to
explain I could still attack all running services on your system and even
break into.
A Firewall would protect your systems by denying all access from the
internet except the needed services (http, https, ftp, smtp). But this is
still not secure. Now we come to the requested part "passive server check".
As explained the firewall leaves the http service open. An attacker would
search for bugs in the http-service. Such bugs are caused by the Operating
System, by bad implemantations of the http-service or by customers scripts
running on your server. Attackers use those bugs to create files on your
webserver or remotely execute code. A passive scan is done by freely
available tools (such as twwwscan) which check if certain files (usually
scripts) exist on your webserver. An active scan checks how this files react
to certain requests. Attackers use the found vulnarabilities to break into
your systems. So one of the most important security issues is to learn about
all known vulnarabilities and exploits and patch your internet-services.
To get it clear: it is still possible to execute code on your server via a
vulnarability called "newdsn.exe". People can still break into your systems
and can still install trojan horses to attack other parts of your network.
It is quite sure that you have been compromised and still are abused
(NETBUS).
Anyway I hope my answers will help you in securing your services. And don't
hesitate to ask your technical staff to contact me.
Best regards,
Marek Stiefenhofer
(IT Security)
ECOFIS GmbH
Tel.: (02 31) 75 45-1 17
FAX : (02 31) 75 45-2 22
e-mail: m.stiefenhofer@ecofis.de
Besuchen Sie auch unseren neuen Online-Dienst:
http://www.alleco.de
-----Ursprüngliche Nachricht-----
Von: Warne [mailto:attacker@somewhere.com]
Gesendet am: Donnerstag, 23. November 2000 22:28
An: Stiefenhofer, Marek ECOFIS
Betreff: RE: ABUSE: Attacks by one of your hosts
Marek,
I have tried to contact you by telephone, but have been unsuccessful.
To introduce myself, my name is Warne Boulton, the General Manager and part
owner of appHosting.com
I was most concerned to receieve your email re the attack on your system via
one of our servers.
First, I hope that your security was better than ours and that no damage was
done to your server or systems.
Our technical people are have worked on the issue and tell me that all is
ok. I was interested in the 'passive' test that was instigated. Can you
provide me details (in laymans terms as I'm not technical) of how to run
this test so that I can arrange for it to be re-run against our servers to
ensure this doesn't happen again.
Thank you and best regards
Warne
-----Original Message-----
From: Stiefenhofer, Marek ECOFIS [mailto:m.stiefenhofer@ecofis.de]
Sent: Wednesday, 22 November 2000 1:05 AM
To: 'support@somewhere.com'; 'webmaster@somewhere.com';
'abuse@somewhere.com'; 'postmaster@somewhere.com'
Subject: ABUSE: Attacks by one of your hosts
*** PGP Signature Status: good
*** Signer: Marek Stiefenhofer