2

Our security vendor detected that our client's CAS server was doing a nessus scan in the internal network.

It's not uncommon for this vendor to issue a false positive, but I'm looking for general guidance on how I should analyze this Windows based server if a hack was indeed attempted.

  • What files might be left over?

  • What might be modified?

  • How do I safely gather enough information to know if it should be nuked from orbit.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 1
    What did trigger the event? the exchange server himself or an IDS/IPS on the network? – M'vy Feb 19 '13 at 16:16
  • @M'vy We have passive monitoring on the subnet that inspects suspect packets. I'm trying to get more information on it. One of our techs said that Exchange often "does something" to appear like nessus. – makerofthings7 Feb 19 '13 at 16:31
  • 1
    Did anyone else have to do a double-take to make sure this didn't say "Stack Exchange Server appears to be hacked."? – Iszi Feb 19 '13 at 17:49

2 Answers2

1

Any good system administrator is going to know what files are on his company's server and what are in those files.

The first thing you want to do is use a program or write a script to take note of all the files on the hard drive. The safest way to do this would to mount the hard drive on a known working OS so the OS doesn't hide any files from you. You make note of this and keep it in a safe place.

The next thing you do is create a checksum for each of those files listed and keep that in a safe place as well.

This process will go well with your server backups because you'll know where to restore from.

Whenever you suspect and intrusion you will check to see what files have been added to the system and verify the integrity of the files with the checksum. There will be certain files that will always fail of course, such as log files. But you will want to flag files that have changed without your knowledge such as the boot files or system files.

An additional resource would be to analyze the traffic from the server. Gather any information you can to be helpful such out going server port, where the traffic is going, etc.

Typically a compromised system is going to try and send things out to the internet. Being that it was an exchange server, it may be used to spam emails so that it wouldn't look to peculiar.

A lot of intrusions can be detected with anti virus as well, but of course, that doesn't mean your safe!

ponsfonze
  • 1,332
  • 11
  • 13
1

Could vulnerability be just like the routine scan? all white hat done by sec team. If this is the case you can verify through firewalls logs (depending if the traffic passes through it). You can use tool called volatility to analyze any changes in RAM or file-system. It gives you snap-shot analysis of the current state of compute security.

Saladin
  • 1,547
  • 3
  • 14
  • 23