Internet Tutorials, servers, ip addresses, proxies, hacking, detective work

22 views
Skip to first unread message

andy

unread,
Dec 20, 2012, 1:30:48 PM12/20/12
to hive76-d...@googlegroups.com
Hi everyone,

For my new job I have to do some detective work. Someone was using a server to do things they shouldn't and I have to bring them to justice. Unfortunately the clues are all technical.

I need to understand the process of how someone might take advantage of a vulnerable system, what signs might indicate that we've been hacked.

Any good resources out there for educating myself?

Safe

A

Jordan Miller

unread,
Dec 20, 2012, 1:51:44 PM12/20/12
to hive76-d...@googlegroups.com



jordan




-- 
To post to this group, send email to hive76-d...@googlegroups.com
To unsubscribe send email to hive76-discuss...@googlegroups.com
For more awesome goto http://groups.google.com/group/hive76-discussion?hl=en

Com Sec

unread,
Dec 20, 2012, 2:09:40 PM12/20/12
to hive76-d...@googlegroups.com

Usually the first step is taking a snapshot of the system to prevent overwriting critical data. Sleth kit is an open source forensics tool that might be able to help you take a first step in analyzing.

logs.jpeg

99

unread,
Dec 20, 2012, 2:28:31 PM12/20/12
to hive76-d...@googlegroups.com, Com Sec
It's hard to give suggestions because the range of vulnerabilities that
can be exploited is so broad. But what Com Sec is saying here is a
really good start. You might also look for a decent rootkit finder.
Sorry if this explanation covers things you already know, but a common
way that systems are exploited is that a legitimate executable on the
system is replaced with one that does what the attacker wants. That's
called a rootkit. One way to find out if there's a bad executable on
your system is to track down the malicious traffic, if there is any, to
a particular port or process. Netstat might help you do that. If you
think a particular executable might be to blame, you could also do a
checksum of the one on the compromised system and compare it to one that
comes fresh from the OS install media or from the software provider.

You can imagine that that quickly gets tedious and error prone, what
with many versions of the software that might have been released and
were perfectly legit at that time. Root kit finders come pre-loaded
with signatures for a bunch of common rootkits and might find your
culprit reasonably efficiently.

There are many, many security-oriented sites that might be helpful to
you, and unfortunately I'm behind enough on my reading that I can't
recommend one or two. You can look up exploits and vulnerabilities for
a particular software package, and that may lead you to some sites that
can tell you more. For example, if you think that a webserver or CMS
has been hacked, look up vulnerabilities for that tool and you'll find
sites that are dedicated to web software-based attacks.

A long time ago I took the GCIH course from the SANS Institute. At the
time it was very, very good. I hear that the quality had slid a bit
since I took it, but they are still a big name in security training.
Here's their certification list:
http://www.giac.org/

The canned photos are bad enough that I feel I should justify myself:
To get my certification I had to pass a rigorous test, AND write a
research paper. I learned a lot and did not find it corny at all.

On 12/20/2012 02:09 PM, Com Sec wrote:
> Usually the first step is taking a snapshot of the system to prevent
> overwriting critical data. Sleth kit is an open source forensics tool
> that might be able to help you take a first step in analyzing.
>
> On Dec 20, 2012 1:51 PM, "Jordan Miller" <jrd...@gmail.com
> <mailto:jrd...@gmail.com>> wrote:
>
>
>
>
> jordan
>
>
>
>
>
> On Dec 20, 2012, at 1:30 PM, andy wrote:
>
>> Hi everyone,
>>
>> For my new job I have to do some detective work. Someone was using
>> a server to do things they shouldn't and I have to bring them to
>> justice. Unfortunately the clues are all technical.
>>
>> I need to understand the process of how someone might take
>> advantage of a vulnerable system, what signs might indicate that
>> we've been hacked.
>>
>> Any good resources out there for educating myself?
>>
>> Safe
>>
>> A
>>
>>
>> --
>> To post to this group, send email to
>> hive76-d...@googlegroups.com
>> <mailto:hive76-d...@googlegroups.com>
>> To unsubscribe send email to
>> hive76-discuss...@googlegroups.com
>> <mailto:hive76-discuss...@googlegroups.com>
>> For more awesome goto
>> http://groups.google.com/group/hive76-discussion?hl=en
>
> --
> To post to this group, send email to
> hive76-d...@googlegroups.com
> <mailto:hive76-d...@googlegroups.com>
> To unsubscribe send email to
> hive76-discuss...@googlegroups.com
> <mailto:hive76-discussion%2Bunsu...@googlegroups.com>

Jim Fisher

unread,
Dec 20, 2012, 2:42:34 PM12/20/12
to hive76-d...@googlegroups.com
Great advice so far.

Good luck.

Sounds like you are about to begin a journey.

Here is a quick preso that may help give a little overview of the
process. It is dated, but process pretty much remains the same.

http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-willis-c/bh-us-03-willis.pdf
--
jim fisher
Jedijf

irc freenode #ubuntu-us-pa
www.myfisher.org

"Do, or do not. There is no 'try.'"
-- Jedi Master Yoda

andy

unread,
Dec 21, 2012, 1:00:07 PM12/21/12
to hive76-d...@googlegroups.com, Com Sec
Wow, thanks a bunch. This is really helpful. I'll keep you posted as I go.
>>     <mailto:hive76-discussion+unsub...@googlegroups.com>

andy

unread,
Dec 21, 2012, 1:08:10 PM12/21/12
to hive76-d...@googlegroups.com
Oh damn you are right. I was hoping I could catch the culprit and just punch him a lot. CIS CSI
>>>     <mailto:hive76-discussion+unsub...@googlegroups.com>

andrew sooy

unread,
Dec 21, 2012, 1:48:35 PM12/21/12
to hive76-d...@googlegroups.com
Netstat /abo > c:\NetstatDump.txt
ntbstat /n > c:\nbtstatDump.txt

powershell is very helpful it brings back pipe in windows and makes everthing objects
get-wmiobject win32_process
get-wmiobject win32_services


back track is really good i think it is on bactrack 5 r2
do you have a base line of resource monitoring from before and now to help see what jumped in usage
do you have IDS
Reply all
Reply to author
Forward
0 new messages