Tip

Don't do this: A hacking investigated

Sometimes we learn the most from relating to the mistakes of others. That's what this tip, which is excerpted from InformIT, will allow you to do.

The portion of the original article

Requires Free Membership to View

presented in this tip discusses the setup at the author's client that allowed a massive hack. The remainder of the article discusses the detective work and remedial action taken to bring the client back to a safe place.


It all started with a fairly innocent call from a client/friend of the family who was having Internet problems. Specifically, he was wondering why his T1 line was moving uncharacteristically slowly and was concerned that he may have contracted a virus. This particular client had a past history of becoming victim to viruses and worms, so his concern was valid. I said I would take a look.

Having discovered this client's previous infestation, I was expecting that he probably had become the victim of yet another worm or virus and just needed some simple suggestions and pointers on how to remove it. To my surprise, this prejudice only scratched the surface of the many problems this client was having. As you will learn, my client's network not only had become infected by digital worms, but it also had become home to both a horde of hackers using it as a warez server and a brand new IRC Trojan/IIS worm named Total Kill.

This particular client is one of those small businesses that doesn't need to hire a full-time computer person. Instead, it relies on the good will and part-time support of friends and family members. As a result, its network has been through the hands of several competent but distinctly unique support personnel during the last couple years, all of which have added to the overall layout and configuration of the network. What makes matters more interesting is that the client was previously a mini–Internet service provider (ISP) for some local-area businesses.

Due to its ISP business, the client purchased a T1 and, with it, several hundred IP addresses and the equipment to manage them. So as to not put these addresses to waste, one of the previous administrators had set up a Cisco router and DHCP server to provide each internal computer with a unique public IP address. In other words, every device on the network has a dedicated IP address that was accessible from the Internet.

At the core of this network is one computer hosting a multitude of services. The computer, running Microsoft's NT4 operating system, operated as a DNS server, DHCP server, Exchange server, primary domain controller, and file server; it also acted as a host to a custom database program for the business. Due to the many services this computer was providing, it was a primary target for viruses and worms. In fact, five months before this situation, the server was inoculated from a Nimda infestation.


To continue the story of this hacking, click over to InformIT. You have to register there, but the registration is free, and the article is well worth the time.


This was first published in January 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.