Lotus domino server hacked...

[karmic]

K, i'm gonna need a little advice on this one...

Have a client whos domino server (running on windows 2000 server) has been hacked due to a lax firewall. Foreign users are set up and domino is down completely. I'm waiting til tomorrow for the new snapgear firewall to come in before I touch the thing... I know domino but am no expert with it.

Can anyone supply some light on how to check the domino security levels and what not? Any repair tools on the market? Has this happened to anyone elses domino server and if so, how did you recover?

Thanks.




~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[Packet7]

Hello,

What is the size of your Data Directory? How many servers reside in your Notes Named Network? I helped someone with a similar issue a while back and it was easier to off load the current Data directory, restore the Data DIR from tape from the backup before the hack and proceed with bringing over user data between the restore and hack.

This sounds scary, but you really can't tell what was done since the hackers could of placed an agent anywhere. I would secure the Firewall, then the box then Notes. Anyway, let me know and I will try my best to help out.


Rgds,

John

 

[karmic]

Good idea... Don't know about the integrity of the tape backups at this point.

There is only one server with 15 workstations on this network, not too many choices overall.

Going in tomorrow with a new firewall, getting rid of the netgear box they currently have. Security first, then fix server.

I'll let you know.

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[Packet7]

Hey,

Well, if it's only 15 Mail DB's, I would start like you said wioth the FW, then the server, then Domino. I would restore names.nsf from tape and look at your all your DB's (mail DB's, admin4.nsf, etc...).

I would remove replication and check the ACL on the restored names.nsf. Take the old names.nsf and match and differences. I would make sure you check the signer of each DB and design element from the Designer. I hope this helps.

Rgds,

John

 

[CharlieJax]

As a stickler for security here is my advice, its not plesant either, but it will make sure that nothing that isn't wanted gets back into the new system:

1) Make a replica of server on a workstation by istalling server and replicating everything over

2) (optional)Make a replica of the mailboxes on the user's local machines

3) ARCHIVE ALL THE MAIL IN THE USERS MAILBOXES

4) Blow away the current server (once you are sure you have all the data

5) Setup and secure Windows 2000 on the server

6) Setup and secure Domino 6.5 on the server

7) Copy the data from the old names.nsf file back to the new names.nsf file

8) Recreate the other databases and copy the data from the old ones back over (get any agents / code / etc that you can verify and leave the others).

9) Create new mailboxes for the users. Their mail will be stored in the archive and the new mailboxes will be empty not requiring you to move any mail back over.

Basicly you are getting rid of all the old databases but saving the data.

This process or the process above will take you a while to do correctly, but this process should have a higher success rate at making sure you don't miss an agent or something hidden in the OS because all of that will be gone or ignored when you move things back over.

CJ

Don't drink and post, save that for driving home!

 

[karmic]

Redoing the entire server isn't exactly on the back burner.
There's other issues i'd like to take care of, especially the .com domain. I haven't had the chance to do a full exam of the server but there's no sense til the new firewall gets here (hopefully today).

Depends on what will be quicker and more cost effective of course. I've never done an install/setup of domino, tho it can't be that difficult. The version they have is 5.0.9.

I'll post back when I know more.

Thanks

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[karmic]

BTW, is there an inote (or similar) package for domino 5.0.9?

Not sure if they want webmail or vpn access...

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[karmic]

quick update...

Firewall is installed, server locked down and all updates are in. All passwords have been changed.

Domino: Certs are all messed up. The only user that has the ability to ceritfy another user is just a user. Administrator cannot certify anymore. What a mess.

How does one quickly create or redefine the domino admin as the primary certifier?

Thanks.




~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[karmic]

Ok, another update for you...

Found out what happened, and if anyone has any ideas, please toss them out to me.

On the 13th of april, backup exec requested the monthly backup... no big deal right? wrong, did a full system restore from last month. Unfortunately, nobody knew that Domino was reinstalled in january 2002 on the D: drive. Backup exec was backing up the old domino sitting on C:, not the new install on D:.

Checked the logs for BE and there were 700 files skipped (open files), the rest of the 80000 files were restored (without the new domino install). Since then, domino has been falling apart. The logs indicate that the last viable backup was performed on the 6th of april but I don't want to touch anything til I talk to the client tomorrow.

Sound like fun?



~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[Packet7]

Hey Karmic,

Just read through your latest responses. iNotes is available in R5.0.9. You would want to use iNotes5.ntf on your mail DB's and make sure your HTTP task is running.

Regards to your backup, are they backing up the Domino Program Directory too? The only think you need to really backup is the notes.ini and the Domino Data Directory. Those skipped files appear to me that the backup job is trying to backup files be used by the Program and not Domino .nsf or .ntf's.

Hope this helps.

Rgds,

John