Go Back   Hardware Canucks > PC BUILDERS & TWEAKERS CORNER > Troubleshooting

    
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old February 27, 2013, 02:13 PM
BrainEater's Avatar
Hall Of Fame
 
Join Date: Mar 2007
Location: Calgary
Posts: 2,513
Default Sandboxing

Mhhrmmm

OK , so some dumb asshole decided it would be cool/fun/whatever to hack the servers of a business , and kill 3 days of production.Drinkers of the whole world unite , lets find this little bastard and beat em with a bottle.... !~!

Here's the short version : (and I don't know the whole story yet)

We *had* a mac g4 on our network used for music .Apparently , it was also used for the vuze bittorrent client.......this is where it gets fuzzy...Possibly thru vuze , or mebbie just from a corrupted you tube link , (or whatever , uncontrolled machine) , someone gained complete control.....they went from a machine not on the domain , right into our 'on-the-domain' servers , and encrypted our hdd's and then demanded randsom.

I have the 'infected , unaltered ' machine I believe , and I'm setting up a sandbox to run it in with something like solarwinds going.

I've also got a free PF router and switch setup.I want to record every single byte of data in and out of this rig.

Any sandboxing/whitehat tips ?

TYIA

Ross

__________________
Intel 3930k /rIVe/32 Gb vengeance LP/Nvidia TITAN/760/760/Intel 520's/WD raptors/etc...

Last edited by BrainEater; February 28, 2013 at 12:40 PM.
Reply With Quote
  #2 (permalink)  
Old February 27, 2013, 03:54 PM
ZZLEE's Avatar
Hall Of Fame
F@H
 
Join Date: May 2009
Location: KANATA
Posts: 2,097

My System Specs

Default

This doesn't sound like a drive by hacking to me.

Hope you catch the perp. messing with Beer
__________________
"EVGA hunted down the last dozen or so expats living in Karachi." SKY
Reply With Quote
  #3 (permalink)  
Old February 27, 2013, 04:30 PM
BlueByte's Avatar
Allstar
 
Join Date: Feb 2011
Location: Maynooth
Posts: 541
Default

Before you get to deep here, do you have a backup before the hack? What systems got encrypted(servers, desktops)? I would not be surprised if he has a multiple entry points if he got access to your domain, or at least I would if I hacked into a system. I would be suspecting you touching every device(PC, Printers with any remote access, switches, routers) to make sure(SOOOO Sorry).

I would suspect they are over seas, that's where most of my attacks come from. At this point there is very little you can do, because I would hop through open proxies that are impossible to keep log of to do an attack. Once in I would create an SSL tunnel and then there is even less hope of packet sniffing.

The biggest thing I hope you have are backups. Because you swear and bitch and bite the bullet and wipe everything. Have a company wide meeting explaining what happened. If they want music that badly subscribe to some music service and if anyone is caught downloading from bad sources they are wrote up.

I have been successful a couple of times tracking down the culprit of an attack, but the best you can do if they are in another country is tell their ISP, employer if they were dumb enough to do this at work, cyber crime division. Then from there its out of your hands, if they are nice they will let you know what had happened.

You will be targeted again in a few months by these guys, so make sure you don't make the same mistake again. Don't think you can turn around and hack them, you are a no body to them. They found a weakness in 100,000 machines/firewalls and exploited as many as they could and the targets that looked like they could pay they demanded a ransom.
Reply With Quote
  #4 (permalink)  
Old February 27, 2013, 08:22 PM
enaberif's Avatar
Hall Of Fame
 
Join Date: Dec 2006
Location: Calgahree, AB
Posts: 10,608
Default

Quote:
Originally Posted by BrainEater View Post
Mhhrmmm

OK , so some dumb asshole decided it would be cool/fun/whatever to hack the servers of a brewery , and kill 3 days of production.Beer drinkers of the whole world unite , lets find this little bastard and beat em with switch of hops !~!

Here's the short version : (and I don't know the whole story yet)

We *had* a mac g4 on our network used for music .Apparently , it was also used for the vuze bittorrent client.......this is where it gets fuzzy...Possibly thru vuze , or mebbie just from a corrupted you tube link , (or whatever , uncontrolled machine) , someone gained complete control.....they went from a machine not on the domain , right into our 'on-the-domain' servers , and encrypted our hdd's and then demanded randsom.

I have the 'infected , unaltered ' machine I believe , and I'm setting up a sandbox to run it in with something like solarwinds going.

I've also got a free PF router and switch setup.I want to record every single byte of data in and out of this rig.

Any sandboxing/whitehat tips ?

TYIA

Ross

No offense but this sounds more like user error than hacking. Trying to hack ANYTHING through a mac will be next to impossible but not completely impossible and that is where the "user error" comes in.

Vuze = Java = Exploit City

With that said... the entire network sounds horrible and with that said.. yes a pfsense box will help immensely but will also be a pain in the ass at the start to use.
Reply With Quote
  #5 (permalink)  
Old February 27, 2013, 08:50 PM
Shadowmeph's Avatar
Hall Of Fame
F@H
 
Join Date: Oct 2007
Posts: 3,382

My System Specs

Default

I agree it sounds like user error to me also usually the places that get hacked are larger places unless someone said " hey I am here come and hack me" it is very unlikely . most MS based OS and maybe some Linux based OS get hacked because they are easier to do. what is in it for someone to go through the whole hassle of this like I already said it is more likely user error or someone let them in on purpose.
Reply With Quote
  #6 (permalink)  
Old February 27, 2013, 09:31 PM
enaberif's Avatar
Hall Of Fame
 
Join Date: Dec 2006
Location: Calgahree, AB
Posts: 10,608
Default

Oh and a G4 is not Intel :) So doing anything "hack" wise would be VERRRRRRRRRRRRRRRRRRY difficult.
Reply With Quote
  #7 (permalink)  
Old February 27, 2013, 10:38 PM
MVP
 
Join Date: Mar 2010
Location: Ottawa
Posts: 447
Default

Quote:
Originally Posted by enaberif View Post
Oh and a G4 is not Intel :) So doing anything "hack" wise would be VERRRRRRRRRRRRRRRRRRY difficult.
I have to disagree. While it is unlikely for someone to target this platform generally, it is certainly vulnerable to a targeted attack from a group or individual who knows what they're doing. Java and Flash are the most obvious vectors, but as an OS that hasn't been supported in years and lacks general security tools, it's extremely vulnerable.

It's just not trivial for a run of the mill script kiddie or likely to be targeted by those casting a wide net.
Reply With Quote
  #8 (permalink)  
Old February 28, 2013, 09:13 AM
Shadowmeph's Avatar
Hall Of Fame
F@H
 
Join Date: Oct 2007
Posts: 3,382

My System Specs

Default

Off topic here.
I am very sure that anything that is online can be hacked if it is an OS it can be hacked, but like mentioned above it is usually OS or programs that are more used that get hacked or a larger company ,corporation that gets hacked, that is usually what happens but there are times when someone does have a grudge against someone else so they hurt them or at least try to hurt them some how.
Reply With Quote
  #9 (permalink)  
Old February 28, 2013, 09:41 AM
MacJunky's Avatar
Hall Of Fame
F@H
 
Join Date: May 2007
Location: Creston, BC
Posts: 1,724

My System Specs

Default

I know this is not helping, but the way I see things are below.

PowerMac G4:
Newest versions of Mac OS X it can run are 10.4 and 10.5. Both of those are OLD and no longer get security updates. PPC or not, no security updates and no other new software means it has holes that are never going to be patched.

Internet:
Why do any of your important computers need to be online in the first place? For some applications it is not avoidable, but is there something you actually do remotely that you need access? I am not familiar with brewing equipment so I do not actually know. And yea, try to avoid things like java and flash and whatnot on your production machines. These are production systems and should not be loaded up with any software unrelated to their primary task.(and if your software is written in java then you need a new programmer)


If you want a jukebox for, say, streaming music it needs to stay completely disconnected from the important computers imo. And you need to make sure everything that is online is up to date.


But, as I said none of this helps you isolate what went wrong. *shrug*
As for the original topic, it sounds like you may be on a decent track.
Reply With Quote
  #10 (permalink)  
Old February 28, 2013, 12:57 PM
BrainEater's Avatar
Hall Of Fame
 
Join Date: Mar 2007
Location: Calgary
Posts: 2,513
Default

Ok , so I'll update and explain further.

We have IT , the steps are ongoing.We've reported to the authorities.Beer flows.

----

This is about pounding an 'effing coffin nail into some dumb shit that needs it.

Here's what I know.(or think I know)

The mac is the source.It had Vuze , as well as the possibility of someone just clicking the wrong link.

From what I understand , it went from said mac (not on the domain) into computers on the domain.

After that they appear to have access to everything , they encrypted the server hdd's.

It looks like a total compromise to me....rootkits etc....but I don't know , I'm trying to find out what paranoia level to escalate to.

So I've got that mac , and it was not cleaned from what I know....so I'm going to run it in a closed environment and see what pop's up....

-----

Back to the original question.....Imma run snort on the sandbox router , and solarwinds elsewhere.....any advice on other stufff ?? .....I'm going run all the anti-malware /virus usuals......hijackthis etc....

__________________
Intel 3930k /rIVe/32 Gb vengeance LP/Nvidia TITAN/760/760/Intel 520's/WD raptors/etc...

Last edited by BrainEater; February 28, 2013 at 01:21 PM.
Reply With Quote
Reply


Thread Tools
Display Modes