by   April 25 2012   
One of the biggest challenges I have found over all these years is getting the server admin or network admin to actually respond to a notice that they may have a serious problem. It could be that they don't want to know or they just don't want to admit that something was wrong which might lead to some bad PR.

Reporting Virus Infected Websites and Suspect (hacked) Servers.

This article may end up to be a full life series of articles but it all could end here.

History: (If you don't know me) Since 1997 I have read security log reports from networks that I monitor directly or indirectly with the XCtM Project. It has offered me some really good insight on detection and countermeasures to say the least

One of the biggest challenges I have found over all these years is getting the server admin or network admin to actually respond to a notice that they may have a serious problem.

It could be that they don't want to know or they just don't want to admit that something was wrong which might lead to some bad PR.

One day I sent out 25 notices on servers that were hacked and easy to prove. Out of the 25 emails I had 1 reply, the US Forestry Department sent a "Thank you we didn't need that server so we shut it down.” The others didn't reply so I did what any good IT person would do, I setup a countermeasure to check how long the server that was hacked was left online uncorrected. Some went for months while others only days. Was it the email? Who knows, but I did my IT part and gave them a heads up.

What I have found is too many don't check their emails or they are so many spam mails mine are lost in the "Delete All” list.

With that I do have a question for the IT Admins. If a subject line read: "Security Alert: IP 192.168.1.1 appears to be compromised.” Would that get your attention? Or is that something you see every day now and would just delete it?

The XCtM for me uses a simple API and sends a text alert to me when a problem is detected on the network. Simple enough, if someone is attempting any type of SQL injection it just bans them from the network. But when a connection arrives on port 3389 that is sent to me via text. Now, this becomes old fast if you ask me. So I have setup other filters that do a quick ARIN lookup and check to see if the IP is registered to a business. If so, where, if in my state then Text Murray. If not, email a copy and one day I'll read it.

That brings me to my next point, if I can create a script that identifies misuse of my network and that script can alert me wouldn't you think other IT Admins have the same type of scripts running?

I'd like to know what you think. This isn't a discussion board but I can start one over at some good website.

I'm curious to know if other IT Admins would want to be alerted by another admin when their servers attempt outbound connections to other servers on specific ports would want to know about it. I would answer yes, call me directly if you find any of my servers attempting connections on port 3389 anytime!

Security Alerts in Real-time, a good project for SMTP, WWW, externally facing but protected file servers.

What do you think?

NOTE: I know that any system or process will be exploited or abused. But having some type of reporting system so IT Admins can be alerted is better than nothing. Maybe a central db with emails that are not public. Or just your text number. I use both and it has been working for me just fine.

 



One of the biggest challenges I have found over all these years is getting the server admin or network admin to actually respond to a notice that they may have a serious problem. It could be that they don't want to know or they just don't want to admit that something was wrong which might lead to some bad PR.