You have determined that your network has been breached. There are two standard approaches on what to do next:

• Close the holes as fast as possible and put in safeguards to protect against future attacks.
• Identify the perpetrator and prepare for prosecution.

Most organisations decide to close the holes as quickly as possible because the probability of actually catching an intruder is low. But if you can identify the hacker and opt to prosecute, you must gather as much information about the attack as possible. Data such as the hacker's location, the domain and IP address from which the hacking took place, the name of the hacker, and what specific damage the hacker inflicted are all necessary for prosecution. One method of gaining this information is by using tried-and-tested Unix networking tools usually employed in incident-response forensics. Unix forensic tools
In forensic analysis, you cannot use any tools that are currently installed on the hacked system, because those tools could have been replaced with Trojan programs. For example, the ps program that displays the process table could have been replaced with a Trojan ps program that displays everything except the process of a running hacker daemon. Whatever tools you decide to use for analysing evidence should all be freshly installed. Key items you'll want to look at and retain for analysis are:

• A list of open ports and services
• Aberrant packet behavior
• Accurate dates, timestamps, and images of evidence
• Suspicious IP addresses
• Geographic locations of suspect IP addresses

Various software tools and Unix commands can help you gather this information. Here are some of the tools that come bundled with most Unix operating systems or that are freely available on the Internet and are worth familiarizing yourself with:

• netstat prints a listing of network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.
• tcpdump prints out the headers of packets on a network interface that match a Boolean expression.
• dig sends domain name query packets to name servers.
• traceroute prints the route that packets take to network hosts.
• find searches for files in a directory hierarchy.
• dd converts and copies a file.
• grep, egrep, and awk are used to process text.

Use netstat to determine open ports and services
Netstat is the tool to use to determine what ports and services are currently open. When you execute the command netstat -an, you'll see a listing of all the connections, along with their listening ports and the network addresses associated with these ports. The output will look something like this: TCP 128.88.41.2:1025 140.216.41.2:80 CLOSE_WAIT
TCP 128.88.41.2:2180 140.216.41.2:80 CLOSE_WAIT
TCP 128.88.41.2:1188 140.216.41.2:80 CLOSE_WAIT Look for patterns such as similar source ports used to connect to different sockets. (A socket is an IP address and port together, such as 206.208.163.15:80.) In the above example, three connections (now closed) were used to connect to the Web server port, all from different source ports. If you discover a server on a particular port that is not normally in use, it's possible that a hacker with root level access installed it for malicious purposes.