AniNIX/Wiki
3
0
Fork 0
Code Issues 9 Pull Requests 3 Releases Activity

Major documentation rework -- Entities and Ubiqtorate still need cleanup.

Browse Source
This commit is contained in:
DarkFeather
2020-10-09 04:19:07 -05:00
parent f506025c54
commit a118037532
76 changed files with 1011 additions and 1246 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
Operation/Incident_Reports.md
View File

@@ -1,26 +1,3 @@
These are cybersecurity incidents that the AniNIX has had to remedy due to some failure in our detection and prevention systems.
**Note**: We explicitly exclude routine incidents, such as IP's banned for SSH brute-force, files quarantined after virus scanning, and other routine housekeeping.
# January 2018 Spambot Detection
An attacker used a default password to pull down a Perl SMTP spambot and email list to spam fake Bank of America emails to users, attempting to phish them into clicking an xplotica link.
* When: 11-29-2017 through 1-4-2018
* Who: IRL identity unknown; last source IP 196.52.32.4 (Netherlands residential)
* What: Spambot
* * Vector: Attacker used a default password to access a monitoring user account; spambot and target lists were downloaded from a GoDaddy webhost (now nonfunctional).
Detection was provided by the ISP and [https://www.abusix.com/ Abusix]. The Postfix service was shut down, and forensic analysis performed starting with the /var/spool/mail folder and tmux session capture.
# Impact
This has negatively impacted the AniNIX's reputation as an SMTP source -- we are following up with Abusix and Google to restore our reputation.
Current forensic investigation does not indicate a compromise to any AniNIX privileged information.
## Our Response
* Monitoring user password has been rotated on all systems.
* Automatic password rotation for service accounts will be added to the service deploy automation.
* Sharingan needs updates to better monitor lastlog output and the sshd "Accepted" regex in journald. Postfix will be evaluated for appropriate MTA settings and restored to service later.
Contact an admin for access to incident files.
These are cybersecurity and availability incidents that the AniNIX has had to remedy due to some failure in our detection and prevention systems within the last two years.
**Note**: We explicitly exclude routine incidents, such as IP's banned for SSH brute-force, files quarantined after virus scanning, and other routine housekeeping. We are also not including maintenance outages or short-term (<8 hours) ISP events.