janobi · Network Ninja · ✭✭✭✭✭

Normally after the mission finishes I believe. But someone with more knowledge will likely have a better idea.

Hint for today is 404

Rolled back the patches, and still the same. We've turned off AV etc, and still no difference. Im going to build the new environment today instead, seems the easier option due to EOL/EOS product and DB.

No permissions change. We use priv access system to access the direct server, so I have admin on the server.

12.3 I think

Thanks for the comprehensive answer. Can I ask how you would move the alerts/reports manually across from DB to DB please.

We don't use SAM

As in the servers? It's all listed in the release notes, as to what hardware/virtualisation you should go with. I'd need specifics to be able to offer additional help.

Im pretty sure that the upgrade path is listed on the customer portal. We're running a similar version of NPM/Orion etc. So download the latest updates, put them on your servers/new servers and complete the upgrade and migration. https://customerportal.solarwinds.com/support/product-upgrade-advisor Follow that, and ti'll…

Not really sure this will work. If they've already infiltrated the system, and moved into other areas, then binning the servers off isn't going to solve anything. It is unlikely that they've stayed just on the Orion servers. They will have installed additional software, and persistence and likely moved into other parts of…

Preaching to the choir

Great response! There seem to be a lot of people on the forum, trying to defuse this situation, and that is admirable. But with the mounting evidence that is coming from the infosec community, and the lack of information coming from SW (This isn't surprising), then being diplomatic about the company and it's products isn't…

IMHO, i'd say it's a little late to try and regain trust. This is still the early part of the incident and the full impact wont be known for sometime. Having a year of additional support is going to be worthless, i'd be surprised if companies are not already looking at alternative solutions, and mitigating their damage…

Consider yourself compromised. Turning off the servers is unlikely to resolve anything, as they will likely have moved into another part of the network, and dropped persistence measures.

Latest information of the hack, shows that the FTP details were leaked to github in 2018!! Password was about as secure as a house with the door open. Whilst the attribution to an APT has been suggested, it would appear that SW themselves gave the keys to the castle with poor security implementation processes.…

Just another rotation of the sun

TBH it's unknown at present. But as someone has said dark halo has been traced to use this tactic and tool. It is also dependent upon the box having internet access, so it can contact the C2 server then download additional payloads. In all likelihood, the target was the US government, and other affected parties were likely…

Not sure why people are linking to the fireeye hack. They had their internal systems compromised, and their red team tools stolen. Which are basically open source tools, readily available. They're also using known exploits and no 0days. From what I know of the Orion hack, this is a supply chain hack, so their FTP or…

There is a credential dumping tool for Orion in the wild. And whilst it would be good practice to change passwords for service accounts, it may already be too late. As if they have persistence into your network, then changing the passwords won't achieve anything. Additional payloads are injected, that allow leverage of AD…

I don't really thing asking for free year of maintenance, or thwack points is appropriate at this time. The company as a whole is struggling because of this intrusion. It's not something that is going to be solved overnight, and no amount of freebies is going to help in reputation damage this has caused.

Thanks, i've sent a PM. I'm sure there is a set process for disclosure, it's just not showing on the site.

I dont disagree, but if enough people ask for it, then surely it would be of worth to SW to complete. Unless there is some deal with MS where they get "incentives" to ensure it's a windows based system. Yes our build situation is crazy, and I dont disagree, but linux is used in the majority of organisations, and would…

Thank you for your reply, and offer of assistance. I'll likely PM you to discuss further, but I will try and answer your queries first. As stated above, our in-house SNOW developers wont use any plug-in as they want to control the flow themselves, they feel by using a 3rd party plug-in (SW/SNOW), that they will lose this…

Firstly, thank you for your response, i'll try and answer some of your questions/queries; 1. We cannot use any plug-in from either SW or SNOW, our developers want to keep it all in-house so they can control the flow. Appreciate this makes things much more difficult but this is the situation we have and part of where the…

Im not sure. I've just had a read of the iControl from SW, and sent it to our LB engineer. Hopefully more information to come.

We dont have an account manager, and I wont be disclosing it here. I merely would like contact information to take this offline.

I presume the log checking will only be relevant once you start logging to the server? We've yet to cut it over, but i've imported the ini settings. With regards to the paths, would I need to create these on the new server? Or are they automatically created as part of the setup/ini import.

Same here, no progress showing on the mission.

I attended CLEUR, and also attended the SW booth. I met Andrey (Sorry if I spelt it wrong), very nice Polska like myself. Although he did laugh a little when I got my Polish wrong Thanks for the free t-shirt, was good to meet a couple of you in person. It would've been nice to sit down with a few of you to discuss SW, but…

What benefits are there of being SCP? Like if you're cisco certified your company gets a discount on products. We have and use SW products in present company, and whilst i am proficient upon them, im not sure i could pass the exam. We're not a reseller so there is no real benefit to my company that way, although we are…