Search for 'Backdoor'

  • Thread starter Thread starter Peter Kaufman
  • Start date Start date
P

Peter Kaufman

Hi,

My M.D. is extremely worried about security - not completely without
reason. We have found out that It is likely that some bad people with
mid-level I.T. skills had access to our server a while back and there
is some evidence that data has been recently stolen. Personally I
think it is a personnel problem but want to cover all bases.

I am protected with a firewall and monitor for intrusion, but he has
got it in his mind that there _may_ be some kind of backdoor software
installed on a server. A firewall and ID would not be effective in
that case. There is nothing in the logs showing any suspicious
activity but I know there are ways to manipulate the log files.

Can I by logging all outgoing network activity or some other way
confirm that there is no unauthorized opening of ports and
transference of data going on? What is my best approach to put both
our minds at ease?

Thanks very much,

Peter Kaufman MCP
 
Unfortunately, the only way to be 100% sure that a suspected-compromised
system is intact is to rebuild it from scratch. (It's an ugly answer, but
it gives you peace of mind, since you know that there's nothing on the
server that -you- didn't put there.)

Absent that, since it -is- a really ugly answer, a few ideas:

Firewalls are good, as is installing and maintaining anti-virus software and
spyware detection utilities such as Ad-Aware. You can also enable Windows
auditing of object access to alert you whenever any data files are accessed.
(This will make for some -huge- log files for you to sift through, but in
your case sounds like it would be worth it.)

You can also use IPSec filtering to allow -only- the ports that you want
this server to transmit on. Any other traffic would be dropped
automagically.
 
Any other traffic would be dropped auto"magic"ally.

Don't know if this was a typo, or on purpose... but I
really
liked the idea.
 
Hi Laura,

Auditing is a good tip, but I still wonder about a network/port
capture (I am a bit out of my depth here..) Anyone have any ideas
about that?

Thanks,

Peter
 
Network sniffing is dead easy so you have to 'manage' your LAN, use
encryption if justified between LAN's. Watch out for false floors and roofs,
people adding wireless gear behind your back etc.

A bank in Israel got 'robbed' via a wireless connection that burglars broke
in to install a while back - they didn't notice the wireless device until
money had been lost...

It would be best to get some good literature to round things out so that you
are not becoming paranoid and expending energy on the unlikely when the most
likely events are just walking out the door.

Try a search for CISSP at amazon.com (or your favourite bookseller). This
will bring up a lot of books on the subject including one on the Ten Domains
of security. A lot of this may be too heavy for you, but even the Dummies
book on CISSP may be any eye opener.

- Tim
 
Firewall logs are a good start for network traffic. A personal firewall such
as Sygate [free to try] has some excellent logging and the logs can be
sorted by column. Personal firewalls also have the advantage that you can
create firewall rules mapped to applications that can prevent
unwanted/unknown programs from accessing the network. Ethereal [free] is a
packet capture program which will give very detailed info on network traffic
and you can configure filters to narrow your search [ports and IP addresses]
and exclude what you don't want to see so not to get overwhelmed with all
the entries. --- Steve

http://smb.sygate.com/small_business.htm
http://www.ethereal.com/ --- there is a version for Windows
 
A firewall is not going to help for locally initiated traffic but I
checked out Ethereal. What a terrific freeware utility - thanks very
much for the tip.

Peter

Firewall logs are a good start for network traffic. A personal firewall such
as Sygate [free to try] has some excellent logging and the logs can be
sorted by column. Personal firewalls also have the advantage that you can
create firewall rules mapped to applications that can prevent
unwanted/unknown programs from accessing the network. Ethereal [free] is a
packet capture program which will give very detailed info on network traffic
and you can configure filters to narrow your search [ports and IP addresses]
and exclude what you don't want to see so not to get overwhelmed with all
the entries. --- Steve

http://smb.sygate.com/small_business.htm
http://www.ethereal.com/ --- there is a version for Windows

Peter Kaufman said:
Hi Laura,

Auditing is a good tip, but I still wonder about a network/port
capture (I am a bit out of my depth here..) Anyone have any ideas
about that?

Thanks,

Peter
Click to expand...
Click to expand...
 
Peter,

If a compromise is suspected, the machine must be rebuilt immediately. If
your MD is in the US, he exposes himself to some serious liability, if he
isn't in compliance with HIPPA requirements. If he has California patients,
he should also comply with SB1386 notification requirements.

--
Eric Chamberlain, CISSP
Campus Active Directory Architect
Central Computing Services
University of California, Berkeley
http://calnetad.berkeley.edu
 
Back
Top