RootPrompt.org: Know Your Enemy: A Forensic AnalysisJun 07, 2000, 13:18 (4 Talkback[s])
(Other stories by Lance Spitzner)
[ Thanks to Noel for this link. ]
[ Although this was posted on RootPrompt.org on 23 May, the content was judged to be important enough to warrant posting to the current (7 June) Linux Today news page - LT ed. ]
"This paper is a continuation of the Know Your Enemy series. The first three papers covered the tools and tactics of the black-hat community. This paper, the fourth of the series, studies step by step a successful attack of a system. However, instead of focusing on the tools and tactics used, we will focus on how we learned what happened and pieced the information together. The purpose is to give you the forensic skills necessary to analyze and learn on your own the threats your organization faces."
"The information covered here was obtained through the use of a honeypot. The honeypot was a default server installation of Red Hat 6.0. No modifications were made to the default install, so the vulnerabilities discussed here exist on any default RH 6.0 installation. Also, none of the data presented here has been sanitized. All IP addresses, user accounts, and keystrokes discussed here are real. This is done on purpose to both validate the data and give a better understanding of forensic analysis. Only the passwords have been modified to protect the compromised systems. All sniffer information presented here is in snort format. Snort is my sniffer and IDS system of choice, due to its flexibility, capabilities, and price (its free). All actions commited by the black-hat were captured with snort. I use the IDS signatures supplied by Max Vision at www.whitehats.com. You can query his arachNIDs database for more information on all the alerts discussed throughout this paper. You can find my snort configuration and signature file here. Once you are done reading the paper, you can conduct your own forensic analysis, as I have supplied all the raw data. As you read this paper, take note of how many different systems the black-hat uses. Also, throughout this paper, the black-hat is identified as she, but we have no idea what the true gender is."