Lisa, > Thought someone > might be able to shed some light on how the person got into the box and > also how one might monitor this compromise. Speculation about intrusion methods is not the same as knowing for sure (or at least to a high degree of certainty). Sure, there are lots of known exploits, but listing them is not the same as implicating the one that was used. > I have already told him to > reinstall. Hopefully *after* he makes a bit image copy of the hard drive, especially if you intend on prosecution. You can't analyze data that no longer exists. > Most of the literature on security is on how to protect yourself, how to > build walls. That's fine, I can do that (ugh), but once they are over the > wall, how can we find out who they are and where they are located? If I do > leave a hole in the wall, how can I restrict them and monitor what they try > to do? I would like to get a name and address so I could turn them in to the > authorities, but I would settle for any kind of evidence that would be > worthwhile reporting. > > Have any suggestions? The Honeynet Project Forensic Challenge aimed to do exactly that. To document examples (14, in fact) of how one can analyze a compromised system and answer the questions posed. Knowing how they got in will also help in defense in the future. See: http://project.honeynet.org/challenge/results/ Also, the first thing I read was "stuck the systems behind a firewall using NAT", followed by an obvious description of remote exploit of a service, which wouldn't be possible with classic NAT firewalls, unless the system was specifically exposed. This is one of the risks of "firewalls" (that you've actually put some box in front that magically protects the systems from all harm.) Building a bad firewall is worse than not even trying to build a firewall, since you have a false expectation that you are protected. Better also have them get a book on firewall implementation. -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
This archive was generated by hypermail 2b30 : Tue May 22 2001 - 17:02:33 PDT