[Previous entry: "Commodore is back in the game"] [Main Index] [Next entry: "PHP and SOAP"]

03/17/2007 Entry: "Excellent tale of a cracked machine"

Anatomy of a Break In - "didn't really know much about the computer in question. I logged on. who and w, showed no one logged on but me. I checked last--nothing. Having dissected several cracked boxes before, I knew better than to really trust anything it told me. System tools are often replaced with versions that lie. I hate it when "my" computer lies to me. But I also know that crackers seldom replace all the tools, and when they disagree it's a clue. So I keep checking and rechecking. I try netstat. It shows a couple of recent connections, including an IRC port. My department doesn't run any IRC servers. Bingo."

I've been there, though I admit that at the time I didn't follow all the steps this guy did. When the server under my control was hacked, it was blatant and obvious, with a bizarre overflow string in the logs and some very funny behaviour of the machine. I needed that machine up and running, and didn't have the luxury of downtime to investigate, so it was wiped and reinstalled immediately.