CyberGuerrilla 2013
 Vol.3--No.2013 | 4 Users Online
Wednesday,Nov 20,2019 
By Anonymous avatar | March 30, 2013 - 21:03 | Posted in AnonyNews | Comments Off on Aftermath of OpIranMenace – UN leaked emails talkin about the intrusion

Aftermath of OpIranMenace – UN leaked emails talkin about the intrusion

Greetingz luulz =)

Since we all see how OpIranMenace did get lotsa attention from the community but none from the media – let us shed some light on what happened after the initial leak

Here you go emails of some of the UN officials discussin the leak and the measures they are going to take in order to prevent it 🙂 .

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Date: Mon, 25 Mar 2013 19:17:46 +0300
From: mohabbatova@unfpa.org
Subject: Fwd: FW: Hacking of UN Systems in Iran
To: irandoost@unfpa.org
CC: bassir@unfpa.org
Message-id: <f66fd7a42b289.5150a2da@unfpa.org>
MIME-version: 1.0
X-Mailer: Sun Java(tm) System Messenger Express 6.2-7.05 (built Sep?? 5 2006)
Content-type: multipart/mixed; boundary=–7901d101b86243e6a
Content-language: en
X-Accept-Language: en
Priority: normal

Dear Monire and Narges,

Re the below communiqu??, in addition to the advisories to be given by ICT staff, please immediately
???????????????? Take the image of our data in the server,
???????????????? find out which other UNFPA docs have been released and make a list of them. I found one: my leave request form sent for Nobuko???s approval.
???????????????? Change passwords for all accounts where they are similar to the ones used on the server in question (including personal accounts
???????????????? Inform the relevant colleagues in HQ and request further advise, if any.

Please report back when you complete these advises.

Dear Lubna and Golden> FYI

Thank you and regards

[http://foweb.unfpa.org/images/vCard/un_logo.gif]
UNFPA – because everyone counts.
Dr. M. Hulki Uz
Representative
United Nations Population Fund
Tehran
I.R. Iran
Tel: 9821 22858046
Fax: 9821-22857485
http://iran.unfpa.org
The United Nations Population Fund: Delivering a world where every pregnancy is wanted, every childbirth is safe and every young person’s potential is fulfilled.

From: B Murali [mailto:b.murali@undp.org]
Sent: Monday, March 25, 2013 8:00 PM
To: Paul Raines
Cc: Mark Cardwell; Shirin Hamid; Alexey Kuzmenko; Shahin Shadian; Ardalan Sotoudeh; Mohammad Haque; msafieldin@unicef.org; uz@unfpa.org; Nicholas Rosellini; Elena Tischenko; Mohammad Younus; Tam Pham; gary.lewis@unodc.org
Subject: RE: Hacking of UN Systems in Iran

Dear Paul,

Greetings from Iran!

This is to acknowledge receipt of your email.

Out ICT colleagues including the unit head Ardalan is on the job. I will personally keep myself abreast of the progress & keep you all posted.

I am copying our colleagues in RBAP as well as my colleague heads of agencies here of thosexagencies mentioned in your mail.

Best regards,

Murali
Resident Representative a.i.,
UNDP – IR of Iran
Tel: +98 21 22869016
+98 21 228 60691extn 404
Cell: +98 9121579351

Sent from Samsung Mobile – please excuse brevity & typos.

——– Original message ——–
From: Paul Raines <paul.raines@undp.org>
Date:
To: B Murali <b.murali@undp.org>
Cc: Mark Cardwell <mark.cardwell@undp.org>,Shirin Hamid <shirin.hamid@undp.org>,Alexey Kuzmenko <alexey.kuzmenko@undp.org>,Shahin Shadian <shahin.shadian@undp.org>,Ardalan Sotoudeh <ardalan.sotoudeh@undp.org>,Mohammad Haque <mohammad.haque@undss.org>
Subject: Hacking of UN Systems in Iran

Dear Balasubramaniam,
It appears that a computer hacking group called Anonymous has hacked a UN system and released information concerning UN operations in Iran. (see https://www.cyberguerrilla.org/blog/?p=10098). The hackers have released a number of unrelated documents including memos of different UN agencies such as UNFPA, UNICEF, UN Resident Coordinator Office and UNDP as well as photocopies of the passports of certain staff members (see http://imgur.com/a/xzJpc/noscript).

At this point the ICT personnel in the office need to determine the source of the compromised system.???? Please keep in mind that just removing the unauthorized content or restoring the compromised site from backup will not address the root cause of the compromise and the site could be re-exploited again soon.

If they are not already doing so,?? the ICT personnel maintaining the web site in question should immediately follow the guidelines on handling of ICT security incidents (specifically, sections on identification and containment of the security incident as well as check-lists on CAT7 – Intrusion and CAT5 – Site Defacement). In the nutshell, following steps should be performed:

1. Disconnect the system in question and related systems that have similar user credentials from the network

2. Preserve possible evidence by at least copying all the content of the server (especially logs) including the code, databases content, etc. The best course of actions will be a bit-by-bit imaging of the system.

3. Change passwords for all accounts where they are similar to the ones used on the server in question (including personal accounts). Use trusted terminal (virus/Trojan free workstation)

4. Perform analysis of the log files. Specifically, look for attempts to execute OS and SQL commands through web parameters and/or checking for successful placement of unauthorized content (by accessing it) in the HTTP logs. Attached PDF cheat sheet will help you.

5. Look for specific vulnerability (most likely, it will be either an unrestricted file upload or some code inclusion like SQL Injection) abused by the attacker. Hopefully, step 4 will be able to help you identify specific method of compromise and fix it.

6. Initiate rebuild of your web server from scratch (at this point we have no idea what malicious artifacts were left by the attacker). Make sure that you are using trusted software distribution and installing most recent versions of the web servers, DBMS, CMS (if not built in-house), etc. Also, use new passwords for administrative and other accounts.

7. Make sure that you follow security best practices for the web environment (server) configuration and the application code. Following training material on Secure Coding practices and Guidelines document will help you achieving that.

8. Only when incident is contained and eradicated, can you re-connect the server back to the network.

9. When the incident is eradicated, use the Incident Report form to document the root cause of the incident as well as other facts and send it back to us.

We also strongly encourage you to migrate your web sites to a centralized UNDP content management system. Please, contact Mark Cardwell <mark.cardwell@undp.org> and Jennifer Drag <jennifer.drag@undp.org> to arrange migration.
Please let me know if you have questions about any of the above information or need further assistance.

Best regards,

Paul

[]
Paul S. Raines
Chief Information Security Officer
United Nations Development Programme
304 East 45th Street
New York, NY 10017
paul.raines@undp.org
+1 212 906 5574
ISO 9001 & 27001 certified
www.undp.org?? Follow us: [cid:image003.png@01CC8762.CBA6C1F0]?? [cid:image004.jpg@01CC8762.CBA6C1F0]?? [cid:image005.png@01CC8762.CBA6C1F0]
Please consider the environment before printing this email.

 

 

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Dear Dr. Hulki.
Please note that I have just talked to Mohammad Sepehrnoush. He and Ardalan are in the office now, working on the issue. They are resetting all administrator passwords and trying to find out more about the problem. I discussed your request with them, asking about what I can do now:

Take the image of our data in the server -backups of our server have been taken.
find out which other UNFPA docs have been released and make a list of them – he told me that I need to go to the links provided and download and review all documents. He told me that this is very time-consuming, but if we can make a list of UNFPA documents this would help them to locate the affected server, as they do not know which server was hacked. I will try to do so now.
Change passwords for all accounts where they are similar to the ones used on the server in question (including personal accounts) – IT is changing all administrator passwords. I will also ask everybody to change their passwords.
Inform the relevant colleagues in HQ and request further advise, if any. – please let me know whom I need to inform.

Thank you.
Monire

—– Original Message —–
From: “M. Hulki Uz” <uz@unfpa.org>
Date: Monday, March 25, 2013 9:26 am
Subject: FW: report #1: Hacking of UN Systems in Iran
To: ‘Monireh Bassir’ <bassir@unfpa.org>, mohabbatova@unfpa.org

> FY immediate action please.
>
> thanks
>
>
>
>
>?? <
> UNFPA – because everyone counts.
>
>
> Dr. M. Hulki Uz
>
>
> Representative
>
>
> United Nations Population Fund
>
>
> Tehran
>
>
> I.R. Iran
>
>
> Tel: 9821 22858046
>
>
> Fax: 9821-22857485
>
>
>
>
>
>???? _____
>
> The United Nations Population Fund: Delivering a world where every pregnancy
> is wanted, every childbirth is safe and every young person’s potential
> is
> fulfilled.
>
>
>
>
>
> From: B Murali [
> Sent: Monday, March 25, 2013 8:16 PM
> To: Ardalan Sotoudeh
> Cc: Mark Cardwell; Shirin Hamid; Alexey Kuzmenko; Shahin Shadian; Mohammad
> Haque; Paul Raines; msafieldin@unicef.org; uz@unfpa.org; Gary Lewis;
> Nicholas Rosellini; Elena Tischenko; Mohammad Younus; Tam Pham
> Subject: RE: report #1: Hacking of UN Systems in Iran
>
>
>
> Thanks Ardalan.
>
>
>
> I am sharing this with the heads of agencies of those agencies
> referred in
> the email from Paul including RC a.i. and RBAP as well as Gary.
>
>
>
> Best regards,
>
>
>
> Murali
>
>
>
>
> Description: Description: cid:image003.png@01CCBF09.F2D1D330
>
> Balasubramaniam Murali
>
> Resident Representative a.i.,
>
> United Nations Development Programme
>
> UN Common premises
>
> No. 8 Shahrzad Blvd, Darrous,
>
> 1948773911 Tehran, Islamic Republic of?? Iran
>
> b.murali@undp.org
>
> Tel: +98212 2860691; Ext: 404
>
> Cell: +98 9121579351
>
> Skype: bmurali60
>
>?? <> www.undp.org.ir
>
>
> Please consider the environment before printing this email.
>
>
>
>?? <> UNDP is the United Nations
> global development organization, on the ground in 166 countries and focused
> on democratic and effective governance, crisis prevention & recovery,
> climate change & energy, and reducing poverty.
>
> THIS EMAIL AND ANY FILES TRANSMITTED WITH IT ARE CONFIDENTIAL AND INTENDED
> SOLELY FOR THE USE OF THE INDIVIDUAL OR ENTITY TO WHOM THEY ARE ADDRESSED.
> Dissemination, distribution or copying of this message by anyone other
> than
> the addressee is strictly prohibited. If you received this message in
> error,
> please notify the sender immediately by replying “Received in error” and
> delete the message. Thank you.
>
>
>
> From: Ardalan Sotoudeh
> Sent: Monday, March 25, 2013 8:10 PM
> To: Paul Raines; B Murali
> Cc: Mark Cardwell; Shirin Hamid; Alexey Kuzmenko; Shahin Shadian; Mohammad
> Haque
> Subject: report #1: Hacking of UN Systems in Iran
>
>
>
> Dears,
>
> I have looked through the published materials (proofing the hacked)
> and in
> one look these are not documents which we upload them in UNDP website.in
> order to get more precise I will share this report with?? other
> agencies ICT
> officers and will get their feedbacks as well.
>
> I’ll keep you informed.
>
> Many thanks &
>
>
>
> Best regards.
>
>
>
>
> cid:image003.png@01CCBF09.F2D1D330
>
> Mr. Ardalan Sotoudeh
>
> ICT & Learning Manager
>
> UNDP Iran / Operations
>
> UN Common Premises, #8 Shahrzad Blvd., Darrous,
>
>?? ardalan.sotoudeh@undp.org
>
> Tel: (9821) 22860691-4 (Ext.:503) -Fax: (9821) 22869547
>
> Skype Name: ardalanst
>
>?? <> www.undp.org.ir
>
> Please consider the environment before printing this email.
>
>
>
>
>
> From: Paul Raines
> Sent: Monday, March 25, 2013 7:31 PM
> To: B Murali
> Cc: Mark Cardwell; Shirin Hamid; Alexey Kuzmenko; Shahin Shadian; Ardalan
> Sotoudeh; Mohammad Haque
> Subject: Hacking of UN Systems in Iran
> Importance: High
>
>
>
> Dear Balasubramaniam,
>
> It appears that a computer hacking group called Anonymous has hacked a
> UN
> system and released information concerning UN operations in Iran. (see
>?? The hackers have released a
> number of unrelated documents including memos of different UN agencies
> such
> as UNFPA, UNICEF, UN Resident Coordinator Office and UNDP as well as
> photocopies of the passports of certain staff members (see
>
>
>
>
> At this point the ICT personnel in the office need to determine the source
> of the compromised system.???? Please keep in mind that just removing the
> unauthorized content or restoring the compromised site from backup
> will not
> address the root cause of the compromise and the site could be re-exploited
> again soon.
>
> If they are not already doing so,?? the ICT personnel maintaining the web
> site in question should immediately follow the
> <
> ing.Guidelines_v1.7.docx> guidelines on handling of ICT security incidents
> (specifically, sections on identification and containment of the security
> incident as well as check-lists on CAT7 – Intrusion and CAT5 – Site
> Defacement). In the nutshell, following steps should be performed:
>
> 1. Disconnect the system in question and related systems that have similar
> user credentials from the network
>
> 2. Preserve possible evidence by at least copying all the content of the
> server (especially logs) including the code, databases content, etc. The
> best course of actions will be a bit-by-bit imaging of the system.
>
> 3. Change passwords for all accounts where they are similar to the
> ones used
> on the server in question (including personal accounts). Use trusted
> terminal (virus/Trojan free workstation)
>
> 4. Perform analysis of the log files. Specifically, look for attempts
> to
> execute OS and SQL commands through web parameters and/or checking for
> successful placement of unauthorized content (by accessing it) in the
> HTTP
> logs. Attached PDF cheat sheet will help you.
>
> 5. Look for specific vulnerability (most likely, it will be either an
> unrestricted file upload or some code inclusion like SQL Injection) abused
> by the attacker. Hopefully, step 4 will be able to help you identify
> specific method of compromise and fix it.
>
> 6. Initiate rebuild of your web server from scratch (at this point we
> have
> no idea what malicious artifacts were left by the attacker). Make sure
> that
> you are using trusted software distribution and installing most recent
> versions of the web servers, DBMS, CMS (if not built in-house), etc. Also,
> use new passwords for administrative and other accounts.
>
> 7. Make sure that you follow security best practices for the web environment
> (server) configuration and the application code. Following training material
> on
> <
> _Training.Slides_Secure.Coding.Practices.pptx> Secure Coding practices
> and
> <
> y.Guidelines_v1.0.docx> Guidelines document will help you achieving that.
>
> 8. Only when incident is contained and eradicated, can you re-connect
> the
> server back to the network.
>
> 9. When the incident is eradicated, use the
> <
> t.Form_v1.0.docx> Incident Report form to document the root cause of the
> incident as well as other facts and send it back to us.
>
> We also strongly encourage you to migrate your web sites to a centralized
> UNDP content management system. Please, contact Mark Cardwell
> <> <mark.cardwell@undp.org> and Jennifer Drag
> <> <jennifer.drag@undp.org> to arrange
> migration.
>
> Please let me know if you have questions about any of the above information
> or need further assistance.
>
>
>
> Best regards,
>
>
>
> Paul
>
>
>
>
>
>
>
>
> Paul S. Raines
>
> Chief Information Security Officer
>
> United Nations Development Programme
>
> 304 East 45th Street
>
> New York, NY 10017
>
> paul.raines@undp.org
>
> +1 212 906 5574
>
> ISO 9001 & 27001 certified
>
>?? <> www.undp.org?? Follow us:
> <> cid:image003.png@01CC8762.CBA6C1F0
> <> cid:image004.jpg@01CC8762.CBA6C1F0
> <> cid:image005.png@01CC8762.CBA6C1F0
>
>
> Please consider the environment before printing this email.
>

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Dear Dr. Hulki.

As I told you just now over the phone, it now seems that the majority of the documents in the link are in one way or another related to UNFPA. According to the current knowledge, the UNFPA server has not been hacked and there are two possibilities: either the UNFPA email server has been hacked, or one of the computers in UNFPA office has been hacked. In order to find out what the problem is and which computer has been hacked (if at all), he needs to check all computers in the office. There is no need for Mohammad to know our passwords, as he will check the computers with the admin password. However, he needs to receive an authorization from you.

Best regards
Monire

—– Original Message —–
From: “M. Hulki Uz” <uz@unfpa.org>
Date: Monday, March 25, 2013 10:19 am
Subject: RE: FW: report #1: Hacking of UN Systems in Iran
To: bassir@unfpa.org
Cc: mohabbatova@unfpa.org, irandoost@unfpa.org

> Dear Monire,
> Thanks for your prompt reply and follow up. Re the HQ colleague, I
> have no
> idea. I have already informed APRO. Narges can help you by searching
> it in
> the directory.
> regards
>
> Dr. M. Hulki Uz
> Representative
> United Nations Population Fund
> Tehran
> I.R. Iran
> Tel: 9821 22858046
> Fax: 9821-22857485
>
>
>
> The United Nations Population Fund: Delivering a world where every pregnancy
> is wanted, every childbirth is safe and every young person’s potential
> is
> fulfilled.
>
>
>
> —–Original Message—–
> From: bassir@unfpa.org [
> Sent: Monday, March 25, 2013 9:36 PM
> To: M. Hulki Uz
> Cc: mohabbatova@unfpa.org; irandoost@unfpa.org
> Subject: Re: FW: report #1: Hacking of UN Systems in Iran
>
> Dear Dr. Hulki.
> Please note that I have just talked to Mohammad Sepehrnoush. He and Ardalan
> are in the office now, working on the issue. They are resetting all
> administrator passwords and trying to find out more about the problem.
> I
> discussed your request with them, asking about what I can do now:
>
> Take the image of our data in the server -backups of our server have been
> taken.
> find out which other UNFPA docs have been released and make a list of
> them –
> he told me that I need to go to the links provided and download and review
> all documents. He told me that this is very time-consuming, but if we
> can
> make a list of UNFPA documents this would help them to locate the affected
> server, as they do not know which server was hacked. I will try to do
> so
> now.
> Change passwords for all accounts where they are similar to the ones
> used on
> the server in question (including personal accounts) – IT is changing
> all
> administrator passwords. I will also ask everybody to change their
> passwords.
> Inform the relevant colleagues in HQ and request further advise, if
> any. –
> please let me know whom I need to inform.
>
> Thank you.
> Monire
>
>
>
>
> —– Original Message —–
> From: “M. Hulki Uz” <uz@unfpa.org>
> Date: Monday, March 25, 2013 9:26 am
> Subject: FW: report #1: Hacking of UN Systems in Iran
> To: ‘Monireh Bassir’ <bassir@unfpa.org>, mohabbatova@unfpa.org
>
> > FY immediate action please.
> >
> > thanks
> >
> >
> >
> >
> >?? <
> > UNFPA – because everyone counts.
> >
> >
> > Dr. M. Hulki Uz
> >
> >
> > Representative
> >
> >
> > United Nations Population Fund
> >
> >
> > Tehran
> >
> >
> > I.R. Iran
> >
> >
> > Tel: 9821 22858046
> >
> >
> > Fax: 9821-22857485
> >
> >
> >
> >
> >
> >???? _____
> >
> > The United Nations Population Fund: Delivering a world where every
> > pregnancy is wanted, every childbirth is safe and every young
> person’s
> > potential is fulfilled.
> >
> >
> >
> >
> >
> > From: B Murali [
> > Sent: Monday, March 25, 2013 8:16 PM
> > To: Ardalan Sotoudeh
> > Cc: Mark Cardwell; Shirin Hamid; Alexey Kuzmenko; Shahin Shadian;
> > Mohammad Haque; Paul Raines; msafieldin@unicef.org; uz@unfpa.org;
> Gary
> > Lewis; Nicholas Rosellini; Elena Tischenko; Mohammad Younus; Tam Pham
> > Subject: RE: report #1: Hacking of UN Systems in Iran
> >
> >
> >
> > Thanks Ardalan.
> >
> >
> >
> > I am sharing this with the heads of agencies of those agencies
> > referred in the email from Paul including RC a.i. and RBAP as well
> as
> > Gary.
> >
> >
> >
> > Best regards,
> >
> >
> >
> > Murali
> >
> >
> >
> >
> > Description: Description: cid:image003.png@01CCBF09.F2D1D330
> >
> > Balasubramaniam Murali
> >
> > Resident Representative a.i.,
> >
> > United Nations Development Programme
> >
> > UN Common premises
> >
> > No. 8 Shahrzad Blvd, Darrous,
> >
> > 1948773911 Tehran, Islamic Republic of?? Iran
> >
> > b.murali@undp.org
> >
> > Tel: +98212 2860691; Ext: 404
> >
> > Cell: +98 9121579351
> >
> > Skype: bmurali60
> >
> >?? <> www.undp.org.ir
> >
> >
> > Please consider the environment before printing this email.
> >
> >
> >
> >?? <> UNDP is the United Nations
> > global development organization, on the ground in 166 countries and
>
> > focused on democratic and effective governance, crisis prevention &
>
> > recovery, climate change & energy, and reducing poverty.
> >
> > THIS EMAIL AND ANY FILES TRANSMITTED WITH IT ARE CONFIDENTIAL AND
> > INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL OR ENTITY TO WHOM THEY
> ARE
> ADDRESSED.
> > Dissemination, distribution or copying of this message by anyone
> other
> > than the addressee is strictly prohibited. If you received this
> > message in error, please notify the sender immediately by replying
> > “Received in error” and delete the message. Thank you.
> >
> >
> >
> > From: Ardalan Sotoudeh
> > Sent: Monday, March 25, 2013 8:10 PM
> > To: Paul Raines; B Murali
> > Cc: Mark Cardwell; Shirin Hamid; Alexey Kuzmenko; Shahin Shadian;
> > Mohammad Haque
> > Subject: report #1: Hacking of UN Systems in Iran
> >
> >
> >
> > Dears,
> >
> > I have looked through the published materials (proofing the hacked)
>
> > and in one look these are not documents which we upload them in UNDP
>
> > website.in order to get more precise I will share this report with
>
> > other agencies ICT officers and will get their feedbacks as well.
> >
> > I’ll keep you informed.
> >
> > Many thanks &
> >
> >
> >
> > Best regards.
> >
> >
> >
> >
> > cid:image003.png@01CCBF09.F2D1D330
> >
> > Mr. Ardalan Sotoudeh
> >
> > ICT & Learning Manager
> >
> > UNDP Iran / Operations
> >
> > UN Common Premises, #8 Shahrzad Blvd., Darrous,
> >
> >?? ardalan.sotoudeh@undp.org
> >
> > Tel: (9821) 22860691-4 (Ext.:503) -Fax: (9821) 22869547
> >
> > Skype Name: ardalanst
> >
> >?? <> www.undp.org.ir
> >
> > Please consider the environment before printing this email.
> >
> >
> >
> >
> >
> > From: Paul Raines
> > Sent: Monday, March 25, 2013 7:31 PM
> > To: B Murali
> > Cc: Mark Cardwell; Shirin Hamid; Alexey Kuzmenko; Shahin Shadian;
> > Ardalan Sotoudeh; Mohammad Haque
> > Subject: Hacking of UN Systems in Iran
> > Importance: High
> >
> >
> >
> > Dear Balasubramaniam,
> >
> > It appears that a computer hacking group called Anonymous has hacked
> a
> > UN system and released information concerning UN operations in Iran.
>
> > (see?? The hackers have released a number of unrelated documents
> > including memos of different UN agencies such as UNFPA, UNICEF, UN
> > Resident Coordinator Office and UNDP as well as photocopies of the
> > passports of certain staff members (see
> >
> >
> >
> >
> > At this point the ICT personnel in the office need to determine the
> source
> > of the compromised system.???? Please keep in mind that just removing
> the
> > unauthorized content or restoring the compromised site from backup
> > will not address the root cause of the compromise and the site could
>
> > be re-exploited again soon.
> >
> > If they are not already doing so,?? the ICT personnel maintaining the
>
> > web site in question should immediately follow the <
> > ing.Guidelines_v1.7.docx> guidelines on handling of ICT security
> > incidents (specifically, sections on identification and containment
> of
> > the security incident as well as check-lists on CAT7 – Intrusion and
>
> > CAT5 – Site Defacement). In the nutshell, following steps should be
> performed:
> >
> > 1. Disconnect the system in question and related systems that have
> > similar user credentials from the network
> >
> > 2. Preserve possible evidence by at least copying all the content of
>
> > the server (especially logs) including the code, databases content,
>
> > etc. The best course of actions will be a bit-by-bit imaging of the
> system.
> >
> > 3. Change passwords for all accounts where they are similar to the
> > ones used on the server in question (including personal accounts).
> Use
> > trusted terminal (virus/Trojan free workstation)
> >
> > 4. Perform analysis of the log files. Specifically, look for
> attempts
> > to execute OS and SQL commands through web parameters and/or
> checking
> > for successful placement of unauthorized content (by accessing it)
> in
> > the HTTP logs. Attached PDF cheat sheet will help you.
> >
> > 5. Look for specific vulnerability (most likely, it will be either
> an
> > unrestricted file upload or some code inclusion like SQL Injection)
>
> > abused by the attacker. Hopefully, step 4 will be able to help you
> > identify specific method of compromise and fix it.
> >
> > 6. Initiate rebuild of your web server from scratch (at this point
> we
> > have no idea what malicious artifacts were left by the attacker).
> Make
> > sure that you are using trusted software distribution and installing
>
> > most recent versions of the web servers, DBMS, CMS (if not built
> > in-house), etc. Also, use new passwords for administrative and other
>
> > accounts.
> >
> > 7. Make sure that you follow security best practices for the web
> > environment
> > (server) configuration and the application code. Following training
>
> > material on < _Training.Slides_Secure.Coding.Practices.pptx> Secure
>
> > Coding practices and < y.Guidelines_v1.0.docx> Guidelines document
> > will help you achieving that.
> >
> > 8. Only when incident is contained and eradicated, can you
> re-connect
> > the server back to the network.
> >
> > 9. When the incident is eradicated, use the < t.Form_v1.0.docx>
> > Incident Report form to document the root cause of the incident as
> > well as other facts and send it back to us.
> >
> > We also strongly encourage you to migrate your web sites to a
> > centralized UNDP content management system. Please, contact Mark
> > Cardwell <> <mark.cardwell@undp.org> and Jennifer Drag <>
> > <jennifer.drag@undp.org> to arrange migration.
> >
> > Please let me know if you have questions about any of the above
> > information or need further assistance.
> >
> >
> >
> > Best regards,
> >
> >
> >
> > Paul
> >
> >
> >
> >
> >
> >
> >
> >
> > Paul S. Raines
> >
> > Chief Information Security Officer
> >
> > United Nations Development Programme
> >
> > 304 East 45th Street
> >
> > New York, NY 10017
> >
> > paul.raines@undp.org
> >
> > +1 212 906 5574
> >
> > ISO 9001 & 27001 certified
> >
> >?? <> www.undp.org?? Follow us:
> > <> cid:image003.png@01CC8762.CBA6C1F0
> > <> cid:image004.jpg@01CC8762.CBA6C1F0
> > <> cid:image005.png@01CC8762.CBA6C1F0
> >
> >
> > Please consider the environment before printing this email.
> >
> >
> >
> >
> >
>

 

 

(Visited 11 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

This Post is Tagged with:

Comments are closed.

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

nonymous. Whoever you are, we are ungovernable!
> =[]= This site is run by cyberguerrilla, your friendly anonymous autonomous tech collective since 2010 =[]= This the past that can NOT be changed! <