- Close the holes as fast as possible and put in safeguards to protect against future attacks.
- Identify the perpetrator and prepare for prosecution.
In forensic analysis, you cannot use any tools that are currently installed on the hacked system, because those tools could have been replaced with Trojan programs. For example, the ps program that displays the process table could have been replaced with a Trojan ps program that displays everything except the process of a running hacker daemon. Whatever tools you decide to use for analysing evidence should all be freshly installed. Key items you'll want to look at and retain for analysis are:
- A list of open ports and services
- Aberrant packet behavior
- Accurate dates, timestamps, and images of evidence
- Suspicious IP addresses
- Geographic locations of suspect IP addresses
- netstat prints a listing of network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.
- tcpdump prints out the headers of packets on a network interface that match a Boolean expression.
- dig sends domain name query packets to name servers.
- traceroute prints the route that packets take to network hosts.
- find searches for files in a directory hierarchy.
- dd converts and copies a file.
- grep, egrep, and awk are used to process text.
Netstat is the tool to use to determine what ports and services are currently open. When you execute the command netstat -an, you'll see a listing of all the connections, along with their listening ports and the network addresses associated with these ports. The output will look something like this: TCP 128.88.41.2:1025 140.216.41.2:80 CLOSE_WAIT
TCP 128.88.41.2:2180 140.216.41.2:80 CLOSE_WAIT
TCP 128.88.41.2:1188 140.216.41.2:80 CLOSE_WAIT Look for patterns such as similar source ports used to connect to different sockets. (A socket is an IP address and port together, such as 206.208.163.15:80.) In the above example, three connections (now closed) were used to connect to the Web server port, all from different source ports. If you discover a server on a particular port that is not normally in use, it's possible that a hacker with root level access installed it for malicious purposes.
