[nsp-sec] Sometimes, you have to make lemon-aid.

John Fraizer john at op-sec.us
Mon Mar 3 16:45:44 EST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


We got a MalwareURL report in last nights ASN Alerts so, ACLs were applied to filter TCP 80,443 outbound to the offending IP address and a ticket was dispatched to our
"Customer Facing" group to make customer contact.  The old adage that "the customer is always right" doesn't seem to hold true when that customer has a compromised device
and a secretary/receptionist who thinks she is smarter than you.  Here is how this has played out so far. :)


*** PHONE LOG 03/03/2008 10:39:54 AM XXXXXXXX

Applied ACL to customer interface blocking TCP 80 and TCP 443.

Filter will not be removed until this compromise is remedied.  This is taking down all HTTP and HTTPS traffic to this server.




*** STATUS CHANGE  03/03/2008 10:40:38 AM XXXXXXXX



*** NOTES 03/03/2008 04:03:55 PM XXXXXXX Action Type: Manager review
Called regarding problem. Was brushed off by secretary who stated there are no servers on site.

IP address has been filtered for the better part of the day and I see no tickets where customer has called in to XXXX or XXXX. It appears that they have not noticed their
site is down.

I cannot shut down access via customer's IAD. Though their data is compromised, there is no need to shut down voice.

Based on flows and nmap, it would appear that xxx.xxx.xxx.xxx's purpose is limited to the following ports:

PORT     STATE  SERVICE        VERSION
21/tcp   open   ftp            ProFTPD
25/tcp   open   smtp           Postfix smtpd
110/tcp  open   pop3           UW Imap pop3d 2004.89
666/tcp  open   ssh            OpenSSH 4.0 (protocol 2.0)
2000/tcp open   callbook?
5631/tcp closed pcanywheredata
8000/tcp open   http           Barracuda Spam firewall http config
8080/tcp closed http-proxy
Service Info: Host: mail; OS: Unix; Device: firewall

Sending to NOC Engineering to have ALL ports on xxx.xxx.xxx.xxx nulled.


*** STATUS CHANGE  03/03/2008 04:08:33 PM jfraizer
Happy to oblige.

#sh ip route xxx.xxx.xxx.xxx
Routing entry for xxx.xxx.xxx.xxx/30
  Known via "bgp 11456", distance 200, metric 0, type internal
  Last update from xxx.xxx.xxx.xxx 4w3d ago
  Routing Descriptor Blocks:
  * xxx.xxx.xxx.xxx, from xxx.xxx.xxx.xxx, 4w3d ago
      Route metric is 0, traffic share count is 1
      AS Hops 0

#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
jcvlfljbbg1(config)#ip route xxx.xxx.xxx.xxx 255.255.255.255 null 0 tag 80666
jcvlfljbbg1(config)#^Z
jcvlfljbbg1#sh ip route xxx.xxx.xxx.xxx
Routing entry for xxx.xxx.xxx.xxx/32
  Known via "static", distance 1, metric 0 (connected)
  Tag 80666
  Redistributing via bgp 11456
  Advertised by bgp 11456 route-map BLACKHOLE
  Routing Descriptor Blocks:
  * directly connected, via Null0
      Route metric is 0, traffic share count is 1
      Route tag 80666

Host is now blackholed.  Sending back to Security group.



*** STATUS CHANGE  03/03/2008 04:08:47 PM jfraizer



*** NOTES AND STATUS CHANGE  03/03/2008 04:16:30 PM XXXXXX Action Type: Manager review
Account flashed. Awaiting callback from qualified staff.



Now, the last thing I wanted to do was null-route the customer but, when they refuse to do anything when we contact them about something like this, they leave me no choice
and it doesn't bother me at all to use a 10-lb sledge instead of a fly-swatter.


John
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org

iD8DBQFHzHGH+16lRpJszIgRAohpAJ94t7G6/fqCgr/I3+bvMaHhb8Z5kACeKYtj
uGe4eEPDqd2Az/R8ebXSVDA=
=OaEc
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list