On Sat, 26 Jun 1999, Curtis Hefflin wrote:
> I have a hacker who has successfully broken into an internal aix box via a
> remote access server our company uses for certain employees and vendors.
> From this other box he has attempted to access other servers including our
> firewall, which is also aix.
> I would like to know how I could retrace/track this person's movement
> through the system. What logs or files should I review? And any other help
> or advice you can provide.
> Thanks,
> Curt
Well. Is he still accessing your system? If so, set up an external box on
the same network and capture all the packets. You can watch him from
there. You can also r/ssh into the compromised box at regular intervals
and run netstat,w,etc.. to figure out what's going on and set up quick and
dirty scripts on the monitoring box to determine when he's on and then
email or page you. This isn't always an option, but if you can convince
you're employer to let you do this, I'd recommend it. It's very
educational and you'll likely uncover some trends that will aid you in
combating this in the future. You'll also probably realize that most
hax0rs are only like for a place to drop an eggdrop.
If you think you've already locked him out, or you know you have, and
you've taken the box off line, you can _find_ all the files that have
changed since the box was compromised. It's likely he installed a root kit
and you're not seeing certain hidden dirs. Find is often not replaced by
root kits making it useful for finding hidden directories and files. If
that fails, you can also use clean copies of find, ls, ps, who, etc...
from your original media. Probably you'll want to look into something like
tripwire for the future if you're not already using it. I assume you've
checked all the standards: syslog, messages, sulog, wtmp, utmp, inetd.conf
(for backdoors), rc and init.d files, if not, that's also a good starting
point.
Probably best to resintall all bianries at this point. If possible, back
up your data, wipe the box, and start again. You could check out deception
tool kit and bring the original box back online with a new IP address and
set up deception tool kit in the place of the original box and mess around
too.
+++ath
Derek Vadala, [EMAIL PROTECTED], http://www.cynicism.com/~derek
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
