[PLUG] Re: PLUG Digest, Vol 25, Issue 47

[Mark A. Turner]

I have no tips, but this was an interesting (but short) story, would you
keep us updated?

-Mark

> -----Original Message-----
> From: plug-bounces at lists.pdxlinux.org [mailto:plug-
> bounces at lists.pdxlinux.org] On Behalf Of Jeff Moore
> Sent: Wednesday, October 18, 2006 1:18 PM
> To: plug at lists.pdxlinux.org
> Subject: [PLUG] Re: PLUG Digest, Vol 25, Issue 47
> 
> Hi all,
> 
>    Just checking to see if you all have any standard practices or tips
> when it comes to server forensics.
>    We had an instance where an administrator installed an FC4 box
> outside our firewall and while testing the machine he stopped
iptables.
> DOH! Wouldn't you know it, in no time a pesky little hermit crab(not
to
> offend hermit crab lovers) scrambled along and crawled in. This
> particular crab used the server as an IRC server and for some attacks
> and reconnaissance(this is how the administrator was alerted to the
> intrusion). Immediately the admin unplugged the network cable and
> shutdown the machine(we try to teach them not to shut the machine down
> but those darn knee jerk reactions take over sometimes).
>    I have currently booted into knoppix mounted the lvm and studied it
a
> little. I am also scp'ing the contents of the lvm to another machine
for
> a more intense look. It appears that this particular hermit crab
> connected consistently from one IP address in Romania. By the looks of
> it I wouldn't doubt if this was his IP. He did nothing to conceal his
> work on the server. We have the complete history file all his scripts
> and links to where he houses his scripts(a bank of scripts on a
> geocities site and an irc server camouflaged as a pdf on an
undisclosed
> server etc.). Pretty interesting really.
>    Thanks in advance for the help and tips.
> 
> Jeff M
> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug