OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Compromised Box -
From: J C Lawrence (clawKANGA.NU)
Date: Tue Oct 31 2000 - 22:26:43 CST


On Wed, 1 Nov 2000 11:46:29 +1000
Andrew Blogg <apbloggGPL.COM.AU> wrote:

> If you want to track and see if an attack happens again on this
> port, I would run something else on that port which simply closes
> the connection and states "Your attempt has been logged" and
> actually log the IP address date and time that a connection was
> made from.

More fun would be to:

  a) run snort on a node on the same subnet to track IP traffic.
  b) run IPPL and similar on the compromised node
  c) run a libpcap based tool to log all traffic to and from the
     compromised node

Do this until the node is visited again, and then rebuild the box
from scratch leaving all logging in place. You can then analyse the
the results of his vists and subequent reactions in considerable
detail.

This is often quite educational.

--
J C Lawrence                                 Home: clawkanga.nu
---------(*)                               Other: coderkanga.nu
http://www.kanga.nu/~claw/        Keys etc: finger clawkanga.nu
--=| A man is as sane as he is dangerous to his environment |=--