Hey Fellow Zgeekers.

I have just returned to work (had 2 days off last week, long weekends are fun) to find that somehow a trojan (runs as svchost.exe from c:\winnt\system32\albacom) that looks like it becomes an FServe in a few warez channels on -
irc.Powerchat.org/#dreamwarez
irc.thisischat.org/#nirvana
irc.psycholand.org/#tld

(found this info in a few ini files in the exe's directory, along with a few full length movies, mostly spanish)

Unfortunately I am the only one here at work that actually pays attention to the network and it appears that our connection (a nice big 1.5mbit up and down) has been flat chat since friday (so glad I am not paying the bill).

My question to zgeekers is what do I do now. I have killed the server and cleaned the files (ie renamed and moved to a different computer) and am currently watching for any traffic on irc ports (I don't want to just block it all because I want this guys balls on a hook).

My biggest issue is the fact that this thing got into my network. And installed itself on our domain controller. Now I know it didn't come through email (domain server is our mail server but there is no client on that machine), and no other computer has permission to write to it's folders (file share is hosted elsewhere) nor remotely execute programs.

Any help anyone can give would be greatly appreciated.

On a side note, those irc channels seem to have some pretty decent servers if anyone is looking for spanish movies ;) .

Have you checked out the Event Viewer?

Start -> Run -> eventvwr -> OK

Check out the Security tab to see any logons, and the System tab may show you if things were installed.

Not exactly the answer you're looking for, but might be useful to you. The six stages of incident handling:


Preparation - Stuff you have in place to stop this happening in the first place. Sounds like you're a bit past this now ;)

Identification - What's happened? Again, sounds like you've got an idea of what has happened...

Containment - Prevent it from spreading further, contain the incident to the affected machine(s), usually done by removing it from the network and isolating the machine(s) for analysis. Check other machines for signs of a compromise, contain all affected machines. Do you have a backup/secondary domain controller you can fall back on?

Eradication - Remove the malware, often done by nuking the box. Sometimes you can get all surgical on it and try to eliminate the malware, but you can never be 100% certain you got everything, nuking is safest and often the quickest answer. Rootkits etc can be hard to detect without the right tools and knowledge. Depends how critical the server was and how well you prepared. It's safest to roll back to a backup taken before the incident if you can.

Recovery - Bring the machine back into service, usually done by restoring a backup and applying the latest patches to cover the hole they got in through. Monitor the machine for a while (a week or two) to ensure it isn't compromised again. Keep an eye out for unusual traffic etc until you're sure it's safe again.

Lessons Learned - How did it come to be? How can you stop it happening again in the future? What extra preparation should you be doing? etc.

An incident like this can often be a blessing in disguise. Let your boss/manager know what happened, and explain if only you had a little more money to spend on securing the network these kinds of things wouldn't happen... ;) It's not hard to knock up a cheap IDS using an old PII running snort...

Thanks hijukal, didn't even think of that, seems obvious now though.

MrWest


Preparation - I have done my best in this regard. The only issue I have is making a backup that is actually useful. ie not have to reinstall windows to get ntbackup working so it can restore etc. Using a scsi tape drive how do you recomend doing a backup of a domain controller.


Identification - Didn't take long to find it, I am usually pretty good with identifiyng bad traffic, I would have caught it earlier except that I was not at the office.

Containment - I found the bad traffic, disconnected machine immediately an brought up my backup domain controller.

Eradication - Renamed and moved files. reconnected box to network and am now watching all traffic going to/from it.

Recovery - As above

Lessons Learned - This I am focusing on now

hehehe, money..... for our network, hell no. We are a very small software house and I fixed the printer on day just after I started and since then I have been "network admin". No money is put into the network (our virus scanner is about to lose it's subscription and I am haveing a hard time getting money outta the bosses just for a new subscrption). Already have a snort box setup (passive though, just used for looking at packets, doesn't bloke anything) I am compleatly untrained for this type of thing and am learning as I go. Managed to get a sage-au membership outta them which has helped heaps.

If anyone has any tried and true backup methods (using scsi tape drive) your comments are welcome.

Its very easy to remove this stuff...

just delete everything, go into processess and kill all dodgy ones. easy.


look out for stuff like

firedaemon.exe
psexec.exe
daemon.exe
ir.conf
host.exe
r_server.exe


Ways they couldve got in.

dcom virus
nt admin password being simple
my sql being installed

Originally posted by fearless13
Hey Fellow Zgeekers.

I have just returned to work (had 2 days off last week, long weekends are fun) to find that somehow a trojan (runs as svchost.exe from c:\winnt\system32\albacom) that looks like it becomes an FServe in a few warez channels on -
irc.Powerchat.org/#dreamwarez
irc.thisischat.org/#nirvana
irc.psycholand.org/#tld

Sounds like W32.Welchia.B@mm (http://www.sarc.com/avcenter/venc/data/w32.welchia.b.worm.html). If you happen to still have a copy of the file (and the ini file) send it off to Sarc, I'm sure they'd love that information and what ever else you can tell them.

That link will also tell you how it got on your machine and what you need to do to protect against it.

Strange thing is that neither Symantec nor Sophos picked it up. The program I used to actually identify it (knew it was a trojan and knew what file it was) was some random IRC trojan identifier. It seems strange to me that both Symantec and Sophos (both with the latest updates) missed this guess completely but this Trojan Searcher tool gave me a trojan name and version number which I looked up on the net to find the exact details of the trojan.

Yeah? Musn't be what I thought it was then. I just assumed that due to the filename and how big it is on our network atm.

Got a link to the information you found?

Originally posted by fearless13
Strange thing is that neither Symantec nor Sophos picked it up. The program I used to actually identify it (knew it was a trojan and knew what file it was) was some random IRC trojan identifier. It seems strange to me that both Symantec and Sophos (both with the latest updates) missed this guess completely but this Trojan Searcher tool gave me a trojan name and version number which I looked up on the net to find the exact details of the trojan.
Virus scanners are (usually) signature based, so with a little tweaking you can modify an exploit and avoid it being detected. The trojan scanner you ran would have been a bit smarter. It would have an idea of the what trojans usually do and look for the signs, like commonly replaced files, what's starting up when, etc.

Its not a worm or a virus.

Its an exploit.


Your company or whatever got scanned based on an ip range e.g

10.0.0.1-10.0.255.255

Then an exploit was found.

Then they connected to the computer and uploaded the files.

Then they ran some bats which installed the programs e.t.c as services.

Then it joined irc and probs an ftp was open and maybe even a backdoor, so even if you delete the files they can still have access to your computer.

So try find some backdoors like Remote Admin, PC anywhere, Dameware Mini Remote Control. Stuff like that.


You wont be able to DO anything really against these people as they may have used someone elses computer to hack yours. Or they process may have been automatic on another hacked computer.


Have a bell to your Sys administrator. He should be fired.


Here is some stuff your sys admin should read

Hacking SQL boxes (http://www.force5web.com/articles/sql_scan.htm)

Xdcc bot hacking essay (http://www.cs.rochester.edu/~bukys/host/tonikgin/EduHacking.html)

Below is sections from the above link.


Summary:

In a recent advisory written by Microsoft, and by trends being noticed by many university administrators over the past recent years, people have wanted to know what all these slave computers are on IRC. These machines are serving to newest warez (games, movies, apps, mp3, ect.) to anyone that knows how to use a keyboard. Also, massive amounts of bandwidth is being wasted (easily up to 2MB/s each machine). In this, I will describe from an insiders view, what is happening, how this is being done, how to see if you are a victim, and what you can do to prevent this from happening to your network.



B) Damn! I am a Victim…

If only I had written this earlier. Ok, here’s what to do. First off, don’t format the hard drive, leave that as a last resort. Go to the Control Panel, then select Administrative Tools. Now choose Computer Management. You will see two boxes, left will have a list with more options, and right box blank. In the left box, select Services and Applications, and under that click on Services. See to your right? Those are all the services on your computer. Look for firedaemon. Stop the service by right clicking, and selecting stop. Or, in command prompt “net stop servicename”. Once you have done this, right click the Firedaemon service, and go to properties. See ‘path to executable:’? Go to that folder, and delete it. Well, you can also look at the other files the hacker uploaded, and maybe find a host mask or IP of who the hacker is in one of their config files.

The program I used was TDS-3 (trojan Destection system i guess).

It told me the file in question was actually RAT.IROFFER 1.2b22, simple google search returns http://iroffer.org/. So really it isn't a trojan as such (has legitimate uses) but it was being used as a base for using our bandwidth. Funny thing is the FAQ notes that IROFFER is used as a trojan by malicious people but also suggests to write to virus scanners to say that they should not report IROFFER as a virus as it is a legitimate program. (ie, yeah we are used by viruses, but tell them we aren't).

Hazza, I have a few questions if you don't mind.

Quote Hazza - Have a bell to your Sys administrator. He should be fired.

To start with I would like to make this clear, I am the sys admin. I am *not* trained nor qualified in sys admin, everything I know about sys admin has been learnt on the fly.

The problem I have is that there is no clear way for any one to have gotten into our network. We run a cisco router (damn thing is confusing as hell, but I am not allowed to use linux) and the only outside traffic that is allowed in is mail (port forwarded to an internal server) GRE traffic (also port forwarded to an internal server) and a few ports in the 8000-8020 range for our own services (simple services that are in no way a security risk, if a packet arrives that we don't understand it is dropped).

Meaning for someone to actually get into our system they would need a username password domain combo (unless there is a security hole in Microsoft's Remote Access server or IMAIL's mail server).

I suppose it could have come through an email (auto install on preview under outlook express) but that would have happened on a workstation which has no way of then moving the file onto the domain controller, let alone starting it running.

The only traffic from outside that touches the infected machine is remote access stuff (built into Windows 2000 advanded server, I believe it is PPTP).

Anyone got any ideas on how else it may have entered our network.

That would have been uploaded afterwards, have you found out how they got into the box in the first place?

Check for backdoors (dos prompt):

netstat -an

And unexpected scheduled jobs:

at

It sounds like you might have been hit by an exploit configured to download and install IROFFER when it executes. IROFFER isn't the exploit that got you, it came afterwards.

Have you been keeping up with patches? Do the even logs give you any clue?

Originally posted by fearless13
(unless there is a security hole in Microsoft's Remote Access server or IMAIL's mail server).

It's not *if* there's a security hole, it's how many havn't been patched yet:)

Originally posted by fearless13
The only traffic from outside that touches the infected machine is remote access stuff (built into Windows 2000 advanded server, I believe it is PPTP).


Any money says that was how they got in. Search the bugtraq mailing list at http://www.securityfocus.com for your particular version to see how many holes have been found (and how to patch them).

Originally posted by fearless13
If anyone has any tried and true backup methods (using scsi tape drive) your comments are welcome.

what ive used before is a pci scsi card with an external port so you can use a portable scsi tape drive, in this case a DDS3 drive.

its a little tricky with the scsi card bios, but you can set it up so if you boot to dos it enables the drives. its normally a thing used for scsi hdd, but it works with tapes, zips, and orb drives.
I recall the biggest problem is you are stuck with one media then, ie. you cant change tapes/disks

then its just a matter to use nortons ghost to backup and restore.


there are other methods, but this is the best we came up with after quite a big effort.

this was done quite some time ago, and our short sighted bosses decided they didnt like the idea of installing scsi cards to alot of machines, so ultimately the idea failed; and we had no backup of critical machines (bad idea)

hope it works for you !

That is what I am trying to figure out. As far as I can see the only way into our network is through microsofts remote access (I am hoping that is secure) and through mail. All other traffic stops dead at the firewall, this means it doesn't matter if the box inside has all it's updates, it can listen on ports all it likes, it will never get any traffic hitting it from the outside world.

Correct me if I am wrong here (or if I haven't illustrated the situation correctly), but if I have a firewall that only port forwards 3 ports (and established connections back to the initiating machine) then for anyone to com in they must go through these ports yeah????

Thanks Sperm....

I did try this method (though only quickly, I am actually a programmer for the company and just do sys admin in my spare time) ended up I couldn't quickly and easily get the tape drive to work under dos (ie I plugged it in and turned on.... didn't work, thought bugger that). I think I am going to have to go back to that option next time I am allowed to turn the server off.

I will say this, when the sys admin (ie me) isn't allowed to turn the server off for maintanace (ie backups) there is something wrong with the chain of command.

Originally posted by fearless13 I have a firewall that only port forwards 3 ports

I suggest that you download a bunch of hacking tools and try to hack your own network.

These sorts of tools help you secure your own network.

guys, honestly. hackers dont waste there time with elaborate tools to get a robot computer.

it will be somethign very very simple. or what could have happened.


someone couldve hacked a workstation and then used that workstation to access other parts of the network its commonly done because once inside the network more vuns open up.

scan your entire network with the scanners posted above see what happens.

you should be fired because this is just kiddy shit, or u shouldnt be the sys admin. my home computer is more secure.

Originally posted by hazza
you should be fired because this is just kiddy shit, or u shouldnt be the sys admin. my home computer is more secure.

Way to read

I fixed the printer on day just after I started and since then I have been "network admin"

I am *not* trained nor qualified in sys admin, everything I know about sys admin has been learnt on the fly.

Hazza.

:rolleyes:

Thankyou so much for your help Hazza. Your indepth analysis of my work has been so helpful in getting my skills up in order to secure my network.

Yes I shouldn't be sys admin, but when your other options mainly include people that don't know how to fill up a paper tray then what can you do.

The main problem I see is that I can't stop/detect bad traffic. We use a Cisco router for our firewall and I have no idea how to use it, I managed to jimmy a config for it that works (not securely mind you). If I was allowed to put a linux box in I would be happy because I would actually know what is going on. Unfortunately I am not quite there as I am yet to be able to support multiple vpn connections on a passthrough under linux.

I posted to this thread to see if there were some nice people out there with some experience in this area that may be willing to throw us a bone, and there has been (thanks to
hijukal, sperm,
mrwest and thingy). I would have liked to thank Hazza aswell but considering his last post I don't think I will bother.

Oh yeah btw.... I don't get paid to do sys admin. I do it to make my life easier (if the network is up and running then I can do more work). Unfortunately this is what happens when you work for a company with all of 5 programmers.

If you have something useful to say Hazza then do so, if you want to pay out on me, PM me and keep this thread on topic (ie helpful information for anyone else that may be in my situation).

Have you tried one of the online scanners, they do a probe of your machine and let you know what the world can see in relation to the network.

This should identify the areas that might not be secure, then simply check each one.

http://scan.sygate.com/

There are other scanners online, if anyone else knows one post it up for fearless13.

Btw good on you for getting in there and giving it a go..

Thanks Drakin, I have done this before (the scan from outside)

The results from the one you suggested are

We have determined that your IP address is ***.***.***.***
This is the public IP address that is visible to the internet.
Note: this may not be your IP address if you are connecting through a router, proxy or firewall.


Trying to gather information from your web browser...
Operating System = Windows XP
Browser = Netscape Navigator 5.0

Trying to find out your computer name...
Computer = LITTLEKING
Domain = *********

Trying to find out what services you are running...
Web Server Found = Server: Microsoft-IIS/5.1
POP3 Mail Server Found = +OK X1 NT-POP3 Server littleking.************* (IMail 7.15 43450-1)
SMTP Mail Server Found = 220 littleking.************* (IMail 7.15 1006-1) NT-ESMTP Server X1

What I would like to know is how it managed to get the name of my computer (well actually it is the name of my server machine). What port did it use to obtain that information????

Okay, calling all Cisco people.

It would seem that our Cisco router is routing all packets that don't get routed elsewhere (ie I route mail and GRE traffic) to a particular machine in here for no apparent reason. I have not setup a default route, it seems to have just decided to route to our domain server (meaning port 139 is open to the outside world, very not good)

Any people with cisco experiance that may like to have a look at my config for problems????

Hazza, that's a really fucked attitude to have. If it was a large corporation then sure, it should never have happened. However, they would have professionals in the IT department specifically to stop things like this from happening. Majority of SME's* can't afford this type of infrastructure and have to settle for people who are "jack of all trades", people who have to do everything from helpdesk, to desktop support, network support, server support and security. That's quite a wide variety of tasks for someone to do and leaves them with little time to specialise in any one area or ensure things are 100% shipshape. Coupled onto this the fact that most companies who do operate like this have very limited IT budgets and can't afford network monitoring / security tools or other such resources.

Take my company for example. Globally things are very secure as it's a large corporation. However when not looking at the Global scale we are an SME, and we operate like one. Sure, we have WAN specialists, security specialists, mail specialists. They look after things on a global scale, look after things such as the WAN that connects offices, routers, firewalls, mail servers from where they are based in NY and HK. All these things I myself am locked out of.

Despite this, I have to do helldesk & desktop support for Windows 95, Windows 98, Windows Me, Windows NT 4.0, Windows 2000, Windows XP, Mac OS 8.6, Mac OS 9.1, Mac OS 9.2 and Mac OS 10.2 for 250 users with only one person to help me. We also have 35 servers to keep running which are anything up to 10 years old running VMS (external support), Netware 4.11, Netware 5.0, Windows NT 4.0 and Windows 2000. Programs include MS Office (97 through to XP, PC and Mac versions), Lotus Notes R5, Norton Antivirus Corporate Edition 7.61, all Adobe software, Quark Express 4.11, 5 and 6, a lot of specialised Media apps (Chocoholic knows them well), Citrix Metaframe 1.8, Metaframe XP 1.0 FP2, the list goes on. Network protocols are TCP/IP (old NT4.0 domain and new ADS domain), IPX/SPX, Appletalk. All internal hardware from laptops, desktops to servers and network infrastructure, PABX & phones, PDA's that people buy for themselves, and generally anything that plugs in anywhere and/or has electricity running through it (yes, that includes the coffee machine (no, I'm not kidding)).

Not much variation at all, is it? :rolleyes: With all that to support and only one other person to do it with, 250 users to support it on plus 35 servers across two sites it doesn't exactly leave me with much time. Definitely not enough to get things done as thoroughly as I'd like. Definitely not enough time to set up features of a lot of these programs that could / would ultimately save me time. Most of these things I had never touched before I got this job (Adobe software, Mac software, NAV:CE, Metaframe, Media Apps etc) which gives you a hint as to the resources they provide us with in the IT department.

Just because someone does admin / support, it doesn't mean they have the resources required to do a flawless job. For MANY companies, a half-arsed solution is all that's possible, especially for SME's.

(*For those who don't know, SME stands for Small to Medium Enterprise, companies whose sizes only range to a few hundred employees.)

Well put Thingy. Thankyou.

The biggest problem I face is time rather than resources. I am employed as a programmer and as such only do sys admin when there is a lull in the workload or something bad happens.

Assuming here that you have

a) no time
b) no training

I suggest the following:

1. Get a proper firewall.

A CISCO *router* (ie, not PIX firewall) is NOT an effective border protection device, and if you had to "jimmy a config that works" I'd pretty much assume that it can't be trusted. (That is not a criticism. I'm impressed you got the damn thing working). CISCO has some vulnerabilities as well (most celebrated is the HTTP exploit).
Snapgear do effective, cheap, easy to configure firewalls (http://www.snapgear.com.au/) that will NAT, VPN and stuff for you.
Watchguard are more expensive, but have some better features (VPN is very good, and easy to configure).
LINUX is great (I recommend SMOOTHWALL), but needs some love and care. Sounds like you just need something to set and forget. For that, an appliance is much better than a PC.

Shor term I'd suggest putting a firewall in behind your router, isolating it, and passing the traffic through to your internal network.

2. Don't Trust *ANYTHING* to be secure.

If you are a coder ('natch), then learn some PERL or PYTHON and when you have some downtime (hah) write a few scripts to do checking of your system states.

It's something you can creep up on, and it'll give you a better understanding of what your machinery is doing.

(www.perlmonks.com, and look in CPAN for system admin for standard modules and stuff)

3. VPN != SECURE

VPN just means the traffic is secure, not the access. Access to your network should be limited to just who *really* needs it. Make sure you have good quality passwords on those userids, and LOCK THEM OUT if you get multiple password failures.
On my VPN access, only a select few get it, and I control the passwords, to ensure they are of sufficient length and quality. Sure, you may not have that luxury (damn the MD and his kid's needs), but try as hard as you can. If in doubt, use FUD about this attack to force the bosses into action. A good threat is the Privacy laws in AUS . Lot's of FUD going on there.

4. Get a good virus checker and keep it up to date

'natch

5. Automate, Automate, Automate

Automate everything. As Thingy rightly points out, the load on SysAdmins (particularly part time ones) is excruciatingly large. Whenever you do something, ask yourself how you can automate that task. Then allocate a little time to writing that PERL/PYTHON/SHELL/C++/VBS/JS code to do that task for you next time. You'll quickly build a set of tools that will save you heaps next time something is not right.

6. Don't re-invent the wheel

If you have to do something, spend 5 minutes on GOOGLE first. Chances are high that someone else has experienced it, fixed it and automated it already.

Any other advice I can give you would have to start being specific about what your machinery is doing. Not a good idea to start posting that around in the forums though.

thanks void, you have some good points.

I completly agree with you on the cisco is not a firewall thing. We did have a little netgear firewall/router that did a better job. The problem was supporting PPTP vpn pass through and net to net IPSEC.

Yesturday I dumped the cisco (which I have wanted to do for ages but the boss wouldn't let me) and put in a linux box (using smoothwall actually) and got that going. Now I just gotta figure out how to use frees/wan.

On a side note I think my company is going to get a contractor in to "secure" the network. Wonder who they are going to ask to support it after he has changed everything.

A couple of things don't seem to have been covered so far in this thread...

Patch Management.
Take a good look at the way you roll out your patches. Are all of your servers up to date, especially domain controllers? When I say up to date, I mean 100% current, not just running the latest service pack. There are a hell of a lot of nasty exploits floating around out there that can do this sort of thing, but never show up on an anti-virus scan.

Patch management also extends to your desktops. It only takes a single unpatched workstation to unleash viral hell on your network, and cleaning up can take a loooong time sometimes. Consider using System Update Service (SUS, what a stupid name for a product) or at least enabling Windows Update on your workstations (it can be enforced using Group Policy if that's the way you like to do things).

SQL / MSDE installations.
Never install MSDE or SQL on your domain controller, and make sure that all installations of these two products are patched appropriately. MSDE is really just SQL in sheeps clothing, and it requires the same patches. MSDE is the number one point of entry in many organisations, simply because it is so damn common.

Veritas Backup Exec.
Backup Exec is my backup product of choice for small organisations. It has good support for SCSI tape devices, and is a stack easier to use than NTBackup.

If you wanted to back things up in a small environment, but didn't want to go to the expense of using tapes, DVD+/-R is an option. The new version of Nero has a reasonably good backup program in it, and 4GB per disk allows for a reasonable volume of data with minimal expense.

The fact that you found the thing.
Well done. Finding these things, especially when you are a self-confessed non-admin, is a pretty impressive feat.

Lurgen is 100% on that.

SUS and Systems Management Server are probably overkill in a small environment (one office setup like this sounds). Setting up the WindowsUpdate, as primative as it is, is better than nothing, and worthwile on workstations in your small group.

I'd recommend being more circumspect on auto-patches on servers, particularly domain controllers, as the critical patches often require reboots. But you need to keep an eye on them.

Backup

BackupExec is good if you get a decent tape drive and require the sophistication of tape rotation, and off site backup. Both of which are a damn good idea and will save your if your data gets really porked (anyone seen the latest MyDoom release ? Deletes MS office files like a madwoman on crack).

If not, then in addition to the DVD +/-R there are a bunch of "backup in a box" devices out there now that are getting good reviews for this sort of minimal backup. Good if you don't require rolling backup or off-site storage.

Check out the maxtor one-touch range.

http://www.maxtor.com/en/products/external/onetouch/onetouch_combo/index.htm

Auspcmarket have them for ~450 AUD and up: www.auspcmarket.com.au

Those backup-in-a-box solutions are a bit dodgy IMHO...

We backup data for a few reasons - to protect against malicious damage (worms, viruses, pissed off ex-employees, etc), stupidity (idiot users deleting stuff), but just as importantly we backup our data in case we lose a site.

These solutions in a box don't take into account situations where the physical premises is damaged, and as such can't really be considered proper backup solutions. They're more of an archiving solution.

Maxtor markets those things in such a way as to mislead the public into believing they're protected - they're not. They totally ignore the worst-case scenarios, where major damage occurs. Like a water pipe bursting (which happened to a friends site two weeks ago), or a server catching fire and torching everything in the rack (happened last year in a site I worked at), or theft (when some asshole steals not only your server, but your backup box).

I can't stress enough how dangerous it is to rely on those backup boxes.

Oh I totally agree. Disaster recovery plans should include all scenarios up to and including the loss of your site, and, for that matter, the key personel involved in recovering your site(s) and the data concerned.

I actually had a business supplier we deal with have their office broken into, and their server stolen. WITH THE ONLY BACKUP TAPE THEY EVER USED STILL IN IT. After I finished laughing, we had to resend all our purchase data to them so they could continue to trade. Terrible stuff.

My recommendation is the same as yours: Get a good set of backup software, decent tape rotation and send it at least once a week offsite. In addition: have a process to validate your restore on a regular basis. Just because you backed it up, doesn't mean you can restore it. A good backup policy has all that in place.

However, I would point that there are various levels of backup as there are various levels of business support and admin.

ANY backup is better than NO backup. At least if you've backed it up, you have some chance of restoring it.

I agree Maxtor's marketing is *ahem* a little inappropriate for a good corporate level backup. It is, however, cheap, and an alternative backup solution.

Everything costs, just the currency changes.