It's hard to give suggestions because the range of vulnerabilities that
can be exploited is so broad. But what Com Sec is saying here is a
really good start. You might also look for a decent rootkit finder.
Sorry if this explanation covers things you already know, but a common
way that systems are exploited is that a legitimate executable on the
system is replaced with one that does what the attacker wants. That's
called a rootkit. One way to find out if there's a bad executable on
your system is to track down the malicious traffic, if there is any, to
a particular port or process. Netstat might help you do that. If you
think a particular executable might be to blame, you could also do a
checksum of the one on the compromised system and compare it to one that
comes fresh from the OS install media or from the software provider.
You can imagine that that quickly gets tedious and error prone, what
with many versions of the software that might have been released and
were perfectly legit at that time. Root kit finders come pre-loaded
with signatures for a bunch of common rootkits and might find your
culprit reasonably efficiently.
There are many, many security-oriented sites that might be helpful to
you, and unfortunately I'm behind enough on my reading that I can't
recommend one or two. You can look up exploits and vulnerabilities for
a particular software package, and that may lead you to some sites that
can tell you more. For example, if you think that a webserver or CMS
has been hacked, look up vulnerabilities for that tool and you'll find
sites that are dedicated to web software-based attacks.
A long time ago I took the GCIH course from the SANS Institute. At the
time it was very, very good. I hear that the quality had slid a bit
since I took it, but they are still a big name in security training.
Here's their certification list:
http://www.giac.org/
The canned photos are bad enough that I feel I should justify myself:
To get my certification I had to pass a rigorous test, AND write a
research paper. I learned a lot and did not find it corny at all.
On 12/20/2012 02:09 PM, Com Sec wrote:
> Usually the first step is taking a snapshot of the system to prevent
> overwriting critical data. Sleth kit is an open source forensics tool
> that might be able to help you take a first step in analyzing.
>
> On Dec 20, 2012 1:51 PM, "Jordan Miller" <
jrd...@gmail.com
> <mailto:
jrd...@gmail.com>> wrote:
>
>
>
>
> jordan
>
>
>
>
>
> On Dec 20, 2012, at 1:30 PM, andy wrote:
>
>> Hi everyone,
>>
>> For my new job I have to do some detective work. Someone was using
>> a server to do things they shouldn't and I have to bring them to
>> justice. Unfortunately the clues are all technical.
>>
>> I need to understand the process of how someone might take
>> advantage of a vulnerable system, what signs might indicate that
>> we've been hacked.
>>
>> Any good resources out there for educating myself?
>>
>> Safe
>>
>> A
>>
>>
>> --
>> To post to this group, send email to
>>
hive76-d...@googlegroups.com
>> <mailto:
hive76-d...@googlegroups.com>
>> <mailto:
hive76-discuss...@googlegroups.com>
> <mailto:
hive76-d...@googlegroups.com>
> <mailto:
hive76-discussion%2Bunsu...@googlegroups.com>