Slide 5 of 21
Notes:
On Sat 4 Apr, DJM and AJF were in the office. DJM decided to set NETSTAT looping to display network activity; AJF prepared a workstation to run tcpdump, not forgetting to move it off the Etherswitch.
DJM spotted unexpected activity from [******]; AJF set tcpdump to log the traffic to file (and later interpret it in ASCII).
It became clear that the hacker was issuing r-series commands in the name of one of our users. Inspecting that users home directory revealed a .rhosts file containing + +, whose ls -lc date reads 10th Feb.
This innocent user also had been given a hidden subdirectory, containing various hacking materials.
AJF emailed another report to JANET CERT, while DJM considered how to alert the rest of the campus. We realised that we had received no instructions on how to initiate a disaster plan. There was also a problem making outside phone calls at weekends. By chance our Janitor was in to supervise some event, and suggested to DJM to visit the security gatehouse for advice on possible actions. In the event, this seems to have been effective, but it would have been better if there had been a pre defined plan.