Sandboxing

[BrainEater]

Mhhrmmm

OK , so some dumb asshole decided it would be cool/fun/whatever to hack the servers of a business , and kill 3 days of production.Drinkers of the whole world unite , lets find this little bastard and beat em with a bottle.... !~!

Here's the short version : (and I don't know the whole story yet)

We *had* a mac g4 on our network used for music .Apparently , it was also used for the vuze bittorrent client.......this is where it gets fuzzy...Possibly thru vuze , or mebbie just from a corrupted you tube link , (or whatever , uncontrolled machine) , someone gained complete control.....they went from a machine not on the domain , right into our 'on-the-domain' servers , and encrypted our hdd's and then demanded randsom.

I have the 'infected , unaltered ' machine I believe , and I'm setting up a sandbox to run it in with something like solarwinds going.

I've also got a free PF router and switch setup.I want to record every single byte of data in and out of this rig.

Any sandboxing/whitehat tips ?

TYIA

Ross

[ZZLEE]

This doesn't sound like a drive by hacking to me.

Hope you catch the perp. messing with Beer

[BlueByte]

Before you get to deep here, do you have a backup before the hack? What systems got encrypted(servers, desktops)? I would not be surprised if he has a multiple entry points if he got access to your domain, or at least I would if I hacked into a system. I would be suspecting you touching every device(PC, Printers with any remote access, switches, routers) to make sure(SOOOO Sorry).

I would suspect they are over seas, that's where most of my attacks come from. At this point there is very little you can do, because I would hop through open proxies that are impossible to keep log of to do an attack. Once in I would create an SSL tunnel and then there is even less hope of packet sniffing.

The biggest thing I hope you have are backups. Because you swear and bitch and bite the bullet and wipe everything. Have a company wide meeting explaining what happened. If they want music that badly subscribe to some music service and if anyone is caught downloading from bad sources they are wrote up.

I have been successful a couple of times tracking down the culprit of an attack, but the best you can do if they are in another country is tell their ISP, employer if they were dumb enough to do this at work, cyber crime division. Then from there its out of your hands, if they are nice they will let you know what had happened.

You will be targeted again in a few months by these guys, so make sure you don't make the same mistake again. Don't think you can turn around and hack them, you are a no body to them. They found a weakness in 100,000 machines/firewalls and exploited as many as they could and the targets that looked like they could pay they demanded a ransom.

[enaberif]

Quote:

Originally Posted by BrainEater

Mhhrmmm

OK , so some dumb asshole decided it would be cool/fun/whatever to hack the servers of a brewery , and kill 3 days of production.Beer drinkers of the whole world unite , lets find this little bastard and beat em with switch of hops !~!

Here's the short version : (and I don't know the whole story yet)

We *had* a mac g4 on our network used for music .Apparently , it was also used for the vuze bittorrent client.......this is where it gets fuzzy...Possibly thru vuze , or mebbie just from a corrupted you tube link , (or whatever , uncontrolled machine) , someone gained complete control.....they went from a machine not on the domain , right into our 'on-the-domain' servers , and encrypted our hdd's and then demanded randsom.

I have the 'infected , unaltered ' machine I believe , and I'm setting up a sandbox to run it in with something like solarwinds going.

I've also got a free PF router and switch setup.I want to record every single byte of data in and out of this rig.

Any sandboxing/whitehat tips ?

TYIA

Ross

No offense but this sounds more like user error than hacking. Trying to hack ANYTHING through a mac will be next to impossible but not completely impossible and that is where the "user error" comes in.

Vuze = Java = Exploit City

With that said... the entire network sounds horrible and with that said.. yes a pfsense box will help immensely but will also be a pain in the ass at the start to use.

[Shadowmeph]

I agree it sounds like user error to me also usually the places that get hacked are larger places unless someone said " hey I am here come and hack me" it is very unlikely . most MS based OS and maybe some Linux based OS get hacked because they are easier to do. what is in it for someone to go through the whole hassle of this like I already said it is more likely user error or someone let them in on purpose.

[enaberif]

Oh and a G4 is not Intel :) So doing anything "hack" wise would be VERRRRRRRRRRRRRRRRRRY difficult.

[Desiato]

Quote:

Originally Posted by enaberif

Oh and a G4 is not Intel :) So doing anything "hack" wise would be VERRRRRRRRRRRRRRRRRRY difficult.

I have to disagree. While it is unlikely for someone to target this platform generally, it is certainly vulnerable to a targeted attack from a group or individual who knows what they're doing. Java and Flash are the most obvious vectors, but as an OS that hasn't been supported in years and lacks general security tools, it's extremely vulnerable.

It's just not trivial for a run of the mill script kiddie or likely to be targeted by those casting a wide net.

[Shadowmeph]

Off topic here.
I am very sure that anything that is online can be hacked if it is an OS it can be hacked, but like mentioned above it is usually OS or programs that are more used that get hacked or a larger company ,corporation that gets hacked, that is usually what happens but there are times when someone does have a grudge against someone else so they hurt them or at least try to hurt them some how.

[MacJunky]

I know this is not helping, but the way I see things are below.

PowerMac G4:
Newest versions of Mac OS X it can run are 10.4 and 10.5. Both of those are OLD and no longer get security updates. PPC or not, no security updates and no other new software means it has holes that are never going to be patched.

Internet:
Why do any of your important computers need to be online in the first place? For some applications it is not avoidable, but is there something you actually do remotely that you need access? I am not familiar with brewing equipment so I do not actually know. And yea, try to avoid things like java and flash and whatnot on your production machines. These are production systems and should not be loaded up with any software unrelated to their primary task.(and if your software is written in java then you need a new programmer)


If you want a jukebox for, say, streaming music it needs to stay completely disconnected from the important computers imo. And you need to make sure everything that is online is up to date.


But, as I said none of this helps you isolate what went wrong. *shrug*
As for the original topic, it sounds like you may be on a decent track.

[BrainEater]

Ok , so I'll update and explain further.

We have IT , the steps are ongoing.We've reported to the authorities.Beer flows.

----

This is about pounding an 'effing coffin nail into some dumb shit that needs it.

Here's what I know.(or think I know)

The mac is the source.It had Vuze , as well as the possibility of someone just clicking the wrong link.

From what I understand , it went from said mac (not on the domain) into computers on the domain.

After that they appear to have access to everything , they encrypted the server hdd's.

It looks like a total compromise to me....rootkits etc....but I don't know , I'm trying to find out what paranoia level to escalate to.

So I've got that mac , and it was not cleaned from what I know....so I'm going to run it in a closed environment and see what pop's up....

-----

Back to the original question.....Imma run snort on the sandbox router , and solarwinds elsewhere.....any advice on other stufff ?? .....I'm going run all the anti-malware /virus usuals......hijackthis etc....