Hacker keeps returning - any chances of getting him? 2

[MakeItSo]

Hi friends,

about two weeks ago, I caught a Trojan from somewhere.
McAfee detected it and removed it, no prob - I thought...
As it had detected multiple version of it, which kept popping in, I unplugged the network wire, restarted, HijackThissed, Spybotted, cleared my cache & temp files, you know: the usual jazz.
I also installed an additional software firewall and screwed McAfees security settings up to maximum.
Since then, all's clear; so far, so good.

Two days later however, my jaw dropped when my ftp log files told me that my ftp (running on a dedicated server) had been compromised - using MY logins, and my website "adorned" with a nice, hidden iframe...


I closed the ftp service, changed all logins, checked the server (was clean) and restored the website by completely wiping the entire root and uploading my latest, clean package.

Since then, the hacker has returned 6 times so far, trying to get back into my ftp.
Alas, my log files show him with up to 18 different IPs on each try, located in USA, Canada, France, Sweden...
So I don't have a chance to identify him.
Do I?

That's my big question now: at the moment, that bastard does not get in and cannot do any harm. But he does keep trying and you know Murphy's Law: one day he might find a loophole somewhere...
I also don't want him to have a chance to bombard my server with requests until DoS...
Do I have any chance to find out the true origin of these attacks?
I'm already running Peer Guardian on my server now, but the history of PG does not show anything conspicuous at the time of his last attempt, which was yesterday evening.

I would greatly appreciate any advice you can give me.
I want to nail that rat!


Thanks!
MakeItSo

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell

 

[eyec]

do not play cat & mouse with them.
if it is worth catching him hire a professional.

good luck, stay protected.

 

[MakeItSo]

Hi eyec,

what do you mean "hire a professional"?
I might give it some thought if I knew the "target".

No, serious:
a) what kind of professional and where would I find a good one?
b) what costs are we talking about here?

Thanks a lot!
MakeItSo

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell

 

[eyec]

a) security/law enforcement - many are located throughout the world
b) are company financials, trade secrets, etc. at risk and what is the cost benefit of playing cat & mouse versus continued security of your network.

 

[MakeItSo]

a) security/law enforcement - many are located throughout the world

I thought you were talking about professionals.
If I left things to THEM, things would take ages, provided I am lucky enough to be in a precinct with equipment of dernier cri, which I doubt.

b) are company financials, trade secrets, etc. at risk

Company financials: He would have to delve a lot deeper to get there. If he somehow managed to actually invade our network, then yes.
Trade secrets: definitely!
Customer data: also!

what is the cost benefit of playing cat & mouse versus continued security of your network

Don't pull my leg or take me for a fool, eyec. I don't intend to "play cat & mouse"!!
As I have mentioned: the guy keeps coming back, data is currently safe, but he keeps coming back, ergo it is at risk!
I don't want to wait until anything happens!
I understand that getting a grip on such a son of a bee is extremely difficult.
If you consider it impossible, say so.
If you consider it unwise even given the risk assessment, say so.
Just don't pull my leg there!

Thanks!

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell

 

[North323]

it probably is not one person trying to get in. its probably bot computers trying to get in, thus IP's from different countries. best thing is to stay or get protected if the data is safe you should be good, stay on top of things. like i said its probably not one person but a network of bot pc's (unless you are building a secret space shuttle). also, you can request a new IP address from your ISP, that may help also.

 

[eyec]

Makeitso,
i am not pulling your leg. if you re-read what i said without your condescending attitude you may make sense of what i said.

nuff said, good luck.

 

[MakeItSo]

Hi North,

thanks. His latest attempt from Saturday greatly appeared "manual", i.e. was done with human speed over a time span of 18 minutes, that is why I believe one person to be behind it all. The initial attack and data gathering was certainly "botted".
Same with the ftp compromising and alteration of the website's index.html from April 10th.
But the following attempts to login made on April 14th ~8 p.m. as well as that on May 2nd between 12:17 and 12:38 definitely had a "manual" look & feel albeit rerouted through xyz.
:-(

Eyec, I'm not being condescending, I'm just more than slightly miffed over this SOB. Especially since I cannot overcome the feeling that there might be some connection to my previous job, and this whole thing a matter of espionage...

However: if I leave this up to the authorities without more in hand than a impossible-to-follow lot of IPs, what good would that do me? None!
That's why I want to gather as much information as possible in order to make the right and best decision!
If I sounded condescencing, it was only because your posts did not help me in the slightest, which got me a little more miffed than before...
;-)


[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell

 

[MakeItSo]

Before I forget that:
There is one more thing that makes this entire affair look like a very targetted, specific attack:

In all the follow-up attempts, the hacker showed no further interest in the webmaster's ftp account, which is the only one with access to the website.
He exclusively tried to access customer-specific data!
Another reason why I am literally on tenterhooks to do more than just block.

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell

 

[North323]

are you using some type of IDS/IPS? you may want to create a signature to prevent this type of action, lastly, you can create a honey pot get his/her IP and start poking at them

 

[Salem]

> Especially since I cannot overcome the feeling that there might be some connection to my previous job

Given your next statement...
> He exclusively tried to access customer-specific data!

It would seem that they know something about the internal structures of your company, if they already have an idea where to look.

My guess would be that it could be a recently dismissed employee looking for payback, or maybe even a current employee looking for some 'insurance' by getting something to bargain with (anonymously of course).

http://www.cio.com/article/478350/Data_Theft_Concerns_Rise_Over_Economic_Recession

> my ftp (running on a dedicated server) had been compromised - using MY logins
So how many login attempts were recorded?
Enabling increasing timeouts on failed attempts would help, as would completely disabling the account after a certain number of failures.

How many valid IP addresses for FTP login to a web server would there be? One perhaps, or at most a subnet.
Disallowing any login at all from anywhere else should be something to consider.

Anything other than port 80 should either be completely disabled, or pin-holed to accept connections from a very restricted set of addresses.

--
If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.

 

[MakeItSo]

Concerning our network:
We are using a router with firewall, DOS-Attack prevention, call filter & data filter and McAfee Total protection with Host Intrusion Prevention.
IPSec is activated and equipped with a custom blacklist, and the Admin password is extremely strong.

The server hosting the FTP is Plesk & Firewall protected, IPSec & Peer Guardian, the FTP Software is a licensed one with hammering protection, blacklist and additional custom blacklist - and the admin password is even stronger there.

I admit, I don't quite understand what you mean by a "honey pot"?
You mean like a fake Trojan pretending a weak system thus attracting the hacker?
If so: in what way would that serve me other than get another load of dozens of IPs? If the hacker uses drones all the time, why shouldn't he for such a "honey pot"?
:-?

Thanks a lot!


[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell

 

[North323]

honey pot is nothing more than a 'dmz' like area a hacker can go and he thinks he hit the jackpot but in reality, you just quarantined him to another part of your network

 

[MakeItSo]

Hi Salem,

It would seem that they know something about the internal structures of your company, if they already have an idea where to look.

My guess would be that it could be a recently dismissed employee looking for payback, or maybe even a current employee looking for some 'insurance' by getting something to bargain with (anonymously of course).

That is exactly my suspicion - albeit the other way round:
All of our company were formerly employed by another company, a so-called "global player".
They closed our office and fired us (just to cut the cost, no personal beefs).
We then established our own company. Now we are practically competitors - and some customers have moved away from the former company after they no longer received the service they had from us, and came to us; so we are also actually pulling revenue from said former employer.
Rumours have it that quite a few of the leading heads are rather ... envious - and P*ed off, of course, especially with us pulling their revenue away in times of crisis.

That's why I believe that to be quite a valid suspicion.

So how many login attempts were recorded?

6 in total. Why so many? Because I admin the FTP and the accounts. Some had problems logging in, so I entered their logins into my FTP client and logged in. Of course they only had mistyped the password...
My bad: I hadn't deleted these login credentials right away, hence they were still on my computer.

Anyway: first thing I did was to alter all affected login names, and assign new, strong passwords to ALL logins, affected or not.

Enabling increasing timeouts on failed attempts would help, as would completely disabling the account after a certain number of failures.

Knowing how often certain account holders mistype their password not such a viable option, I'm afraid.

How many valid IP addresses for FTP login to a web server would there be? One perhaps, or at most a subnet.
Disallowing any login at all from anywhere else should be something to consider.

Impossible. The number of valid IP ranges is finite, the number of addresses is not.
We have a lot of accounts...

Anything other than port 80 should either be completely disabled, or pin-holed to accept connections from a very restricted set of addresses.

The only ports open are
[ul]
[li]80 - since it is also our web server[/li]
[li]21 for FTP and[/li]
[li]25 for SMTP[/li]
[/ul]
SMTP port is restricted to one single IP address, that of our Exchange Server.


Thanks!

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell

 

[compuveg]

First start by knowing how the intruder is getting to your machine. I presume that it is physically secure. That leaves the network/internet.

Since your computer appears to you to be securely configured with antivirus and firewall, then you can't actually be getting new breaches. You're just never cleaning the original.

The best way to clean your machine is reformat. It sounds like you want to avoid that, so take the hard drive out, and put it in a known good (Host, I'll call it) machine with current antivirus. Make sure to boot from the host machine's normal drive, and not your infected machine. Then scan your hard drive using the host machine's AV, not just quarantining, but deleting everything it finds.

When you re-assemble your machine, make sure all memory sticks, external drives, etc., are clean as well.

Still be prepared to reformat. Unplug it from the network, backup everything you want to thumb drive or CD/DVD.

Good luck--

 

[ITPangaeaArchitect]

thats a good dang way to get another machine infected right there....

what OS is this on, and in what type of domain are the user accounts in?

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[compuveg]

Only if you don't have the host machine secured properly.

 

[MakeItSo]

@Compuveg: reformat? I don't believe this to be necessary.

FYI: The computer was not quite THAT secure at the time of the breach. My Antivirus license had expired ~ a week before, the new license had been ordered but not arrived yet.
With that in mind, the hacker could not have chosen a better (i.e. worse) timing.
The HIPS is part of the new Antivirus package, it was not part of the old one. My choice to upgrade the package was made before the breach but it proved to be a necessary one.
The firewall too was not installed yet at the time of the breach. Back then, the computer was only secured by the router's firewall & security settings, and the enterprise antivirus/antimalware package.

I am pretty certain that my machine is now clean, so I'll be damned if I nuked my beloved machine now!


User accounts are sufficiently secured, the hacker is locked out.

The only thing that is enerving me is that I don't seem to have any chance of backtracking the dirtbag, since he obviously used multiple hijacked, infected computers during the attack, leaving me with a few dozens of logged IPs.


[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell

 

[ITPangaeaArchitect]

compuveg-you insecure your machine the second you put an infected drive in. I don't care what you're using or how you're using it..if you stick an infected drive in a healthy machine, and that other drive being stuck in is infected with any kind of virus half worth its weight, it will immediately replicate itself to the drive of the new system. It is the EXACT same concept as putting an infected floppy into your PC and getting infected by it. I will give you that your AV may catch it and try to delete it, but I have personally seen a few viruses where the AV says they are removed, yet they persist (most notorious for me was a virus infecting DLLHost.exe while I was at Microsoft still where it took me quite a number of hours just to trick the virus so I could actually clean it out of the 10 lab systems-this AFTER the AV said they were clean and deleted). This is a common thing in my experience with McAfee AV in fact.....I've seen many viruses slip by it in my career....I've also seen viruses slip by others avoiding detection too, but not even close to as many times as McAfee misses....



MakeItSo-Depending on how he is coming in, honestly, its unlikely that you will get a trace of the attackers actual identification point unless they are dumb enough to attack from their own machine, which wont happen, and even if it did, you wont know it. I would, being a paranoid person like this, throw an extra hardware firewall into the mix AND an ISA server (or one or the other) (I am assuming this to be a MS networks like most are these days)
If you want to do further checking for infection, then you need the names of any files that were infected and the original virus executable name. if you have those filenames, than you can search your run key in the registry for any references, as well as your prefetch folders.

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[MakeItSo]

if you have those filenames, than you can search your run key in the registry for any references, as well as your prefetch folders.

Thanks Brandon, already did that.
That's why I'm sure my machine is now clean.
Concerning the network, I use a hardware firewall and have tightened its settings considerably after the attack.
That combined with tight IP-filtering and a Host Intrusion Prevention system should leave me on a relatively safe side.
Within the network, it is my main working computer alone that suffers the greatest risk of infection, as my job requires lots of research and unfortunately also often the download of tools. I think it was the latter which finally lead to the infection.
I have now additionally upgraded the security on this working computer to:
[ul]
[li]McAfee Antivirus Enterprise 8.7 with Antispyware module[/li]
[li]Comodo Firewall with heavy settings[/li]
[li]Spybot S&D[/li]
[/ul]
I tried installing SNORT, but doesn't work yet.
Weekly HiJack This & S&D scans go without saying.

I'll try to view it all positively: The current score against this specific hacker is 7:1 in my favour.


Thanks all!

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell