Content area
Full Text
NETWORK DEFENSE
An experiment in forensics reveals an attacker's techniques.
Around midnight on November 7, 2000, a hacker broke into a Linux server. In and of itself, this event was nothing special-systems get hacked all the time. What made this attack different were the forensic dissections that followed.
The Linux system in question was established by the Honeynet Project (http://project.honeynet.org), a coalition of security professionals interested in learning and sharing what they know about scanning and attacks. To this end, an Intrusion Detection System (IDS) was set up to collect network traces of scans, attacks, and monthly challenges, along the lines of "identify the scanning tool" or "name that hack." When a Linux system was attacked and thoroughly subverted only two and a half days after it was installed, the system itself became the Honeynet's Forensic Challenge.
Surprisingly, what the attacker did after the initial exploit is even more interesting than the attack itself. In this article, I'll go through my own process of analysis regarding the hacked Linux system, the tools used, and what the attacker's actions imply, with the added insights of Dave Dittrich, senior security engineer at the University of Washington.
AFTERMATH OF DISASTER
When a hacker attacks a system, the system administrator or security consultant usually attempts to determine how the attack occurred, then patches the system. In many cases, no one tries to determine why the attack succeeded-the system is simply reinstalled. If the method of attack goes unidentified, the newly installed system will likely be hacked again-and soon.
The Honeynet Project's Linux system was destined to suffer a very different fate. Shortly after the attack, the system was taken down quickly, preserving the hard disk exactly in its immediate post-attack state. Each disk partition was copied byte for byte (using the Unix dd command) to files; the files were then posted on the Internet. Altogether, the compressed image copies of these disk partitions comprised 1.5Gbytes of data (3Gbytes when uncompressed).
Not long ago, the idea of downloading a complete set of partition images and manipulating them locally would have been impossible. But disks are now cheap, and building a system that is configured like the victim, a RedHat 6.2 default server install, is easy to do. Extracting...