Unix tools track hackers

ANALYSIS You run traceroute by listing the hostname -- preferably the fully qualified domain name -- after the command, like this: traceroute company.com. The output will list the name and IP address of the destination and all the hops along the way, similar to the output shown in Listing B. The output is in the form hostname |IP address | probe1 | probe2 | probe3. Each probe is a timed attempt to get the proper response and returns the time it took to get that response. The traceroute tool is most useful if you execute it while suspicious activity is in progress or shortly thereafter. The goal is to find the route through which the traffic between your compromised host and the suspect host traveled. The route determined from your traceroute could be different from the route an intruder used, depending on Internet traffic conditions, but usually it will be accurate. If you can determine the ISP of the suspected host, the ISP, with proper encouragement from law enforcement, can help identify the owner. Note, however, that if there are routers or firewalls along the route that block time to live (TTL) packets or ICMP message types, traceroute will not be able to report any findings from these nodes. Find is a forensics workhorse
There are many ways in which you can use find in incident-response forensics. For example, if you suspect that an intruder broke in by exploiting SUID or SGID files, you can use find to locate all these files (as shown in Listing C) by looking for any log file that references the SUID (2000) or SGID (4000) permission bits. An even better use is to find all these files in advance and dump the output into a log file. You can then check this list by running new find commands from time to time and using the diff command to compare the two log files. By doing this, you'll see whether anyone, possibly an intruder, installed new SUID or SGID files. You would use diff to examine two log files by issuing this command: diff suid_gid_logfile1 suid_gidlogfile2. Typically, the SUID and SGID file list shouldn't change. If you see additions, examine any new files from the SUID and SGID list and determine whether they should be there. You can also use find to look for world-writable files, because these files are also often exploited. To look for all the world-writable files, run find as shown in Listing D. This list shouldn't change much after your system is in production, so I recommend saving this log file and using diff to determine whether any changes occur. Running diff on the log file outputs (e.g., diff worldwrite_logfile1 worldwrite_logfile2) will tell you if new, world-writable log files have been installed after the system has gone into production. You can also build these commands into shell scripts and set up cron to run them on a nightly basis to determine whether new SUID, SGID, or world-writable files have mysteriously appeared. Use dd to preserve the evidence
The dd utility, a Unix command for dumping data, has been a part of almost every Unix-based operating system for as long as I can remember. Use the dd utility when you want to preserve evidence and create a forensic disk image without changing timestamps or anything else. First, figure out where you're going to dump the image; a writable CD or another disk are the most likely places. Various syntaxes for dd exist, but a typical command-line version of it looks like the example in Listing E. The above command would tell your system to copy crime-scene partition /dev/hd1 to a disk image called evidence.img. In the command, the bs switch specifies the block size of the files being transferred, and count tells the system how many blocks to transfer. If you're transferring the evidence image to a CD (CDs can hold 660 MB), set the count to something less than 660 to be sure that you don't accidentally overwrite information to the CD. You can then take the image and burn it on the CD. CDs might be preferable over hard drives, since they're easier to send in the mail and not susceptible to magnetic interference. If you have a 6-GB drive, you'll need to run through a series of dd commands that chops the evidence into images that will fit on a set of CDs. If you're counting by 600-MB blocks, tell dd to skip the 600 block you already copied and copy the next bunch of 600 blocks. To do that, use the skip switch and increment it by 600 each time, as shown in Listing F. Grep, egrep and awk find 0 UID and GID accounts other than root
You'll want to look for root accounts that might not look like root accounts. Often, intruders set up new accounts with root access that aren't associated with the root name. To find these accounts, use the command shown in Listing G. From the output of the command in Listing F, look for nonroot accounts that have 0 UID privileges. These accounts will give you clues about where some of the damage might have been inflicted. Once you locate these 0 UID and 0 GID accounts, you can poke around in their directories for hacker root kits and other malicious tools. What next?
Figuring out who cracked your network is only part of the battle. After you have gathered all the information you can find, you must report the activity to the right institution. When you find you have been cracked and you're able to gather the necessary information, report the criminal. The more of these cracks that are reported, the better the chances that something can be done to stop them.

---