[Dshield] Proof of hacker. What do I do?

Thompson, John J ThompsonJJ at mail.medicine.uiowa.edu
Mon Aug 26 20:11:13 GMT 2002

1st a few decisions need to be made. Do you want to pursue and catch the
intruder or do you want to block them. Do you pull the net plug (safest) or
keep the machine running? 

If you want to catch the intruder, then you need to install a sniffer to
dump all traffic from the intruder into a dump file that you make sure they
don't get to. 

Then backtrace the connection. Try to go back as many hops as possible and
then contact the ISPs and ask for their help. The purpose here is trying to
id the intruder via the assistance of the ISP. 

After you think you have sufficient evidence, then you will need to take the
machine down long enough to do a byte for byte backup of the hard drive to
use for forensic analysis and you will also need to plug the hole or
re-install the system and restore data from clean backups. 

This response was very brief and lacked the details that you need to know.
Much more detail and good info available in SANS reading room under incident
response. www.sans.org.  A good consulting firm would be www.emagined.com 

Good luck.

-----Original Message-----
From: Linda [mailto:godawgs47 at ellijay.com] 
Sent: Monday, August 26, 2002 10:00 AM
To: list at dshield.org
Subject: [Dshield] Proof of hacker. What do I do?

TCP d2f2t6:nbsession d2f2t6:0 LISTENING
 TCP d2f2t6:2068 d2f2t6:0 LISTENING
TCP d2f2t6:2070 d2f2t6:0 LISTENING
TCP d2f2t6:2073 d2f2t6:0 LISTENING
TCP d2f2t6:2074 d2f2t6:0 LISTENING
TCP d2f2t6:2068 unknown.level3.net:80 ESTABLISHED
TCP d2f2t6:2070 unknown.level3.net:80 ESTABLISHED
TCP d2f2t6:2073 unknown.level3.net:80 ESTABLISHED
TCP d2f2t6:2074 unknown.level3.net:80 ESTABLISHED
UDP d2f2t6:nbname *:*
UDP d2f2t6:nbdatagram *:*
UDP d2f2t6:1978 *:*
What I did was install TCPVIEW. THen I went into netstat. What I think is
being stopped at my firewall is not being stopped. They are into dos.
Here is my event log that corresponds with this.
2002/08/24 20:50:05 (unknown.Level3.net)
Port 1074 (TCP)
2002/08/24 20:35:48 (unknown.Level3.net)
Port 1075 (TCP)

I didn't get it all copies over because there are 8 entries on the firewall
in a row.

There are also large files showing up that I don't know what they are.


Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list