[ Thanks to Noel
for this link. ]
[ Although this was posted on RootPrompt.org on 23 May, the
content was judged to be important enough to warrant posting to the
current (7 June) Linux Today news page – LT ed. ]
“This paper is a continuation of the Know Your Enemy series. The
first three papers covered the tools and tactics of the black-hat
community. This paper, the fourth of the series,
studies step by step a successful attack of a system.
However, instead of focusing on the tools and tactics used, we
will focus on how we learned what happened and pieced the
information together. The purpose is to give you the forensic
skills necessary to analyze and learn on your own the threats your
organization faces.”
“The information covered here was obtained through the use of a
honeypot. The honeypot was a default server installation of Red Hat
6.0. No modifications were made to the default install, so the
vulnerabilities discussed here exist on any default RH 6.0
installation. Also, none of the data presented here has been
sanitized. All IP addresses, user accounts, and keystrokes
discussed here are real. This is done on purpose to both validate
the data and give a better understanding of forensic analysis. Only
the passwords have been modified to protect the compromised
systems. All sniffer information presented here is in snort format.
Snort is my sniffer and IDS system of choice, due to its
flexibility, capabilities, and price (its free). All actions
commited by the black-hat were captured with snort. I use the IDS
signatures supplied by Max Vision at www.whitehats.com. You can
query his arachNIDs database for more information on all the alerts
discussed throughout this paper. You can find my snort
configuration and signature file here. Once you are done reading
the paper, you can conduct your own forensic analysis, as I have
supplied all the raw data. As you read this paper, take note of how
many different systems the black-hat uses. Also, throughout this
paper, the black-hat is identified as she, but we have no idea what
the true gender is.”