Chronology (2)
Sat 4 Apr, DJM/AJF in office deciding what to do
Set NETSTAT looping on the affected system
Connect a workstation to outgoing network segment to avoid Etherswitch; run tcpdump (but what are we looking for?)
DJM spots unexpected activity from [******]
AJF sets tcpdump loose on it, logging payload to file. Hacking is in progress. We decide to watch.
Victim user has .rhosts file “+ +” !! Its “ls -lc” date said 10th February!!!
Notes:
On Sat 4 Apr, DJM and AJF were in the office. DJM decided to set NETSTAT looping to display network activity; AJF prepared a workstation to run tcpdump, not forgetting to move it off the Etherswitch.
DJM spotted unexpected activity from [******]; AJF set tcpdump to log the traffic to file (and later interpret it in ASCII).
It became clear that the hacker was issuing r-series commands in the name of one of our users. Inspecting that user’s home directory revealed a .rhosts file containing “+ +”, whose “ls -lc” date reads “10th Feb”.
This innocent user also had been given a hidden subdirectory, containing various hacking materials.
AJF emailed another report to JANET CERT, while DJM considered how to alert the rest of the campus. We realised that we had received no instructions on how to initiate a disaster plan. There was also a problem making outside phone calls at weekends. By chance our Janitor was in to supervise some event, and suggested to DJM to visit the security gatehouse for advice on possible actions. In the event, this seems to have been effective, but it would have been better if there had been a pre defined plan.