Firewall hacked... :(
Jeff Silverman
jeffs at kant.ee.washington.edu
Mon Aug 6 14:16:33 PDT 2001
"M. Scholz" wrote:
>
> Hello all,
>
> My firewall has been hacked, and since I have the luxury of another
> machine at my disposal, I am removing it from the network, and want to
> have some fun with the forensics...
>
> since I haven't had to do forensics yet, and I can't find the lug
> web-page, because I don't know where it is, I'd like some advice/help...
>
> any takers?
>
> -Matthew Scholz
> Where does Thinking end,
> and Feeling ...
BEBORE YOU DO ANYTHING ELSE, MAKE A BIT-FOR-BIT COPY OF THE ORIGINAL
DISK WITH THE dd(1) COMMAND. For example, put the compromised disk in
another machine (assuming it is an IDE slave on the secondary bus, it
would be /dev/hdd)
dd if=/dev/hdd of=SOME_FILE_NAME
Then you can restore it at some point in the future with the command
dd of=/dev/hdd if=SOME_FILE_NAME
If you have linux installed with a loop back file system you can inspect
the image with the command
mount -o loop,noexec,ro SOME_FILE_NAME MOUNT_POINT
It is best not to try to change the original disk because 1) it might be
needed as evidence and 2) you might miss something. If you don't
destroy the original, then you can always revert.
Finally, it is best to keep in touch with security (security at cac) so
that they can advise you.
Good luck and good hunting.
Jeff
--
Jeff Silverman, sysadmin for the Research Computing Systems (RCS)
University of Washington, School of Engineering, Electrical Engineering
Dept.
Box 352500, Seattle, WA, 98125-2500 FAX: (206) 221-5264 Phone (206)
543-9378
jeffs at rcs.ee.washington.edu http://rcs.ee.washington.edu/~jeffs
More information about the Linux
mailing list