[PLUG] Re: PLUG Digest, Vol 25, Issue 47
Jeff Moore
Jeff.Moore at chemeketa.edu
Wed Oct 18 20:18:10 UTC 2006
Hi all,
Just checking to see if you all have any standard practices or tips
when it comes to server forensics.
We had an instance where an administrator installed an FC4 box
outside our firewall and while testing the machine he stopped iptables.
DOH! Wouldn't you know it, in no time a pesky little hermit crab(not to
offend hermit crab lovers) scrambled along and crawled in. This
particular crab used the server as an IRC server and for some attacks
and reconnaissance(this is how the administrator was alerted to the
intrusion). Immediately the admin unplugged the network cable and
shutdown the machine(we try to teach them not to shut the machine down
but those darn knee jerk reactions take over sometimes).
I have currently booted into knoppix mounted the lvm and studied it a
little. I am also scp'ing the contents of the lvm to another machine for
a more intense look. It appears that this particular hermit crab
connected consistently from one IP address in Romania. By the looks of
it I wouldn't doubt if this was his IP. He did nothing to conceal his
work on the server. We have the complete history file all his scripts
and links to where he houses his scripts(a bank of scripts on a
geocities site and an irc server camouflaged as a pdf on an undisclosed
server etc.). Pretty interesting really.
Thanks in advance for the help and tips.
Jeff M
More information about the PLUG
mailing list