DA Logs Improvement

T

thoroughfare

Verified User
Joined
Aug 11, 2003
Messages
543
Hi,

After a server compromise recently, I found out how useful DA logs are :) However, I have a suggestion for improvement. In Apache logs, if a cracker is spoofing his IP, then it's still quite easy to trace his actions because of the OS version, browser and .NET version which are shown in the Apache logs (provided the cracker isn't spoofing those as well).

If the DA logs could contain this info too, or at least an md5hash of the above info, that'd be really helpful for tracing the actions of intruders using spoofed IPs.

Thanks,
Matt :)
 
Neither myself or my admins can figure that out. They didn't access SSH, didn't get root, and only seemed to login to DA as admin.

Once logged in, they went into a couple of user accounts and tried to crack the file manager by manipulating the GET string (URL) sent to DA - as though they were trying to get root. I followed all their actions through the DA logs, but it became difficult because of the IP spoofing they seemed to be using.

The worst thing that they did was to duplicate a few files from two of the domains we host and insert an Internet Explorer exploit (using .chm files) into those duplicated files. They then used a mass-marketing site (*not* our server) to spam thousands of email addresses with the URLs that they had uploaded... causing a few thousand Net users to become vulnerable to the IE exploit.

Two of our customers share a certain workstation at their workplace, and that workstation (not one of ours - their machine) was found (after a week or two) to have a virus on it.

We concluded that the virus must have been a trojan or keylogger (we're unsure of this as the customers formatted their disk to remove the virus) - and then the intruder managed to get in to their accounts, and then into the admin account somehow. Although there was no collossus of failed admin login attempts, so it could suggest they had the admin password. Only me and my admins have passwords to any of our servers, and I use an SSL cert to secure DA - so the password must have leaked out in some way - either using a virus (trojan/keylogger) on one of mine or my admins' workstations (although we all run virus checks and update software frequently) or by means of interception - I did once send a root/admin password combo via a secured AIM session to one of my admins.

So, it's still a bit of a mystery, but after changing the root and admin passwords, we've seen no suspicous activity since.

Matt :)
 
You must log in or register to reply here.
Back
Top