[SATLUG] Possible attack

rabie at rabie.net rabie at rabie.net
Thu Jan 24 11:41:06 CST 2013


First of all disconnect yourself from the Internet, make an image of 
your
partition.

then start your forensics on the image, mount it as read only (it will 
prevent you from executing any kind of altered commands )and use some 
tools to do so like CERT-Forensics-Tools, Sleuthkit and Autopsy.

Look at your logs in /var/log  /var/log/syslog, /var/log/messages, 
/var/log/auth, dmesg, /etc/passwd /etc/shadow

they might have wiped those logs but you could use autopsy to retrieve 
deleted files..



Rabie



On 2013-01-24 10:32, Don Davis wrote:

> Well, I don't know about experienced but the first place I'd look 
> would
> be - /var/log/auth.log
>
> To check login attempts, logins, whatnot.
>
> Do you have an ssh server enabled? Which port? Is root enabled?
>
> Did you possibly push a button by accident or hit keyboard short cuts 
> -
> some alts or ctrls?
>
> Were you on a home network? behind a firewall? wireless - wep? wpa?
>
> Go ahead and boot with a live disk and then mount your drive readonly
> and start doing some ls -art to see what the last files accessed 
> were.
>
> On 01/24/2013 11:06 AM, hc at lookcee.comwrote:
>
>> hey gang I think I may have gotten hacked at yesterday. I was in 
>> chat
>> session with my niece in FL & suddenly my screen had file mgr 
>> windows
>> opening closing I saw they all were partition Labels on the USB-BU
>> drive and I looked at the drive. The bright blue light was lit full
>> blast so i hit off sw total elapsed time was bout 5sec. led was 
>> bright
>> blue maybe sec & half. I have not turned dr back on yet. Mint-13 
>> Mate
>> 12.06 1. I want to look at the logs to see if what happened was
>> recorded. I have 25logs that I know of. 2. I know it wasn't me that
>> opened that HD. sdb1, sdb3 & sdb5 were all three accessed. 3. Time 
>> was
>> 12:55:16 at end minus few secs. The time slot of 12:54:00 to 
>> 12:55:15.
>> So what log(s) show disk read/write? What do I look for/under.
>> Suggestions of what you experienced ones would do. I confess in my 
>> 6yrs
>> with the bird I have always wondered about using the logs. I would 
>> like
>> to know what I can learn in this instance. I am not sure I was even
>> hacked but I would like to know. Thanks herb


More information about the SATLUG mailing list