OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Parting Admin
From: Ryan Permeh (ryanEEYE.COM)
Date: Thu Nov 30 2000 - 12:32:07 CST

This is a touchy area, since there can be things that can be done to bypass
all of these issues. For instance, a knowledgeable adminsitrator could have
backdoored the kernel of any of your nt machines, making it very very
difficult to notice things: a scenario that is not ourside the realm of
possibility:

29 servers, each with a loaded rouge driver, all 29 of them watching the
network for a specific malformed icmp packet to trigger a payload. an
additional driver somewhere could be set up to time delay this packet being
sent out, or to send the packet on a certain occurance(5 new users added, or
whatever). Although i don't know of a specific set of rouge drivers like
this in the wild, that certainly doesn't mean that they are not there.(a
modified rootkit could pretty easily perform most of this functionality).

Now, behind a nat, the payload couldn't be something as simple as opening a
bo2k server and listening, since there should be no way for an outside
attacker to get in(assuming there are no dialin modems, or vpn access to
this network). However, the payload could be more tricky, or just
destructive. it could wipe drives, corrupt specific files, and the worst,
initiate a connection with the outside world. This would give the
admin/attacker a direct channel to the server, where they could tunnel an
attack if they chose. This would leave an open port(for the server side of
the tcp connection), but only after it is triggered.

Traditional intrusion checks are not as valid when the attacker had
unrestricted time and access to undermine the entire security
infrastructure. In this case, short of backing up your data and reloading
your servers(from clean, untampered media - he could have added the rouge
code to an altered install cd), you are not going to have 100% coverage, no
matter what.

On the other hand, if your administrator is good enough to orchestrate a
unmanned attack like this, you should consider keeping him around, he might
have a clue:)

Just a highly paranoid scenario to keep you on your toes.:)
Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com

----- Original Message -----
From: "Opus" <opusIRCORE.COM>
To: <FOCUS-MSSECURITYFOCUS.COM>
Sent: Wednesday, November 29, 2000 1:05 PM
Subject: Parting Admin

> I'm not certain if this has been previously discussed, so pardon me if it
> has. We have quite a large MS network, and the current admin is leaving,
> he is leaving on his own accord, but feels he had been pressured into
> doing so, he has submitted his 2 week notice and now management is wanting
> to be assured that the boxes have not been tampered with as far as
> backdoors...
>
> This could be a very large task to pacify their valid concern, there are
> 29 servers in all, disabling his account and changing all the admin
> passwords wouldn't be enough. Each machine could be port scanned and each
> listening port varified as to what is the application. Each servers local
> accounts list should be reviewed. Each server should already have virus
> protection, but a manual scan wouldn't hurt. We are behind a firewall and
> use NAT to a network using private ip's.
>
> Any ideas of what may be overlooked or possibley a document that lays out
> what procedures should be done in matters of assuring your systems
> integrity, when losing such a high level of personell, remembering that
> the majority of these servers are production, so interuption is the last
> resort.
>
> I am assuming this is an industry wide consideration so there must be
> opinions/policies that already exist.
>
>
> Chris Birch
>