Tuesday, June 18, 2019
E-crime investigation. Security breach on a Linux Operation System Assignment
E-crime investigation. Security breach on a Linux Operation System - Assignment typefaceIf we elaborate these further, the first cartridge clip stamp named as modify or the mtime is updated when there is some change or modification. Likewise, in case of a directory, the time stamp is updated when there are changes / modifications or deletion occurs within the appoint in that particular directory. The second time stamp known as the atime is updated for a file when it is executed or accessed. The third time stamp Change that is called as ctime is updated when the data structure enclosing metadata of a file is accessed by the file system to define information of a file including owner, group name, access rights etc. are modified. However, during a forensic investigation, MAC times can take into account a comprehensive clues if remains unchanged. Likewise, it illustrates the changes that occurred on the file system. Andy will use the TCT mactime program that is a part of the TCT tool kit for printing the MACtimes for a serial publication of files to get an in depth view of what actually happened and how the hacker has compromised the system. Likewise, the mactime program develops a database of time stamps linked with the files of the system (Nemeth, Snyder et al. 2007). It was detected that on September 20 i.e. few days after the initial compromise of the system, the hacker entered in the system via a telnet command and started manipulating file system and server. The command below demonstrates evinceSep 20 00 154605 31376 .a. -rwxr-xr-x forerunner root/ scene/usr/sbin/in.telnetdSep 20 00 154639 20452 .c -rwxr-xr-x root root/mount/bin/login... -rwxr-xr-x root root/mount/usr/sbin/in.telnetd Sep 20 00 154639 20452 .c -rwxr-xr-x root root/mount/bin/login After peerless hour of the system being compromised, a directory was established named as /dev/ttypq/ on the file system and soon a distrustful and unknown file starts appearing and modified on the file system . The most suspicious files were named as ipv6.0, rpc.status and rc.local. Sep 20 00 164947 949 ..c -rwxr-xr-x root root /mount/etc/rc.d/rc.local 209 ..c -rwx------ root root /mount/usr/sbin/initd Sep 20 00 165011 4096 .a. drwxr-xr-x operator 11 /mount/dev/ttypq/... Sep 20 00 165212 7704 .a. -rw-r--r-- root root /mount/lib/modules/2.2.16-3/net/ipv6.o 209 .a. -rwx------ root root /mount/usr/sbin/initd 222068 .a. -rwxr-xr-x root root /mount/usr/sbin/rpc.status Andys investigation addressed the ipv6.0 file that was a modular visible string related to the suspected sockets of the network i.e. TCP port 32411 and TCP port 3457, more than one user account names, by-blow use of the Ethernet interface to relay all the traffic visible on the network. prover strings ipv6.o check_logfilter kernel_version=2.2.16-3 my_atoi 32411 my_find_task 3457 is_invisible 6667 is_secret 6664 iget 6663 iput 6662 hide_process 6661 hide_file irc __mark_inode_dirty 6660 unhide_file 6668 n_getdents nobody o_getde nts telnet n_fork operator o_fork Proxy n_clone proxy o_clone undernet.org n_kill Undernet.org o_kill netstat n_ioctl syslogd dev_get klogd boot_cpu_data promiscuous mode __verify_write . . . o_ioctl adore.c n_write gcc2_compiled. o_write __module_kernel_version n_setuid we_did_promisc cleanup_module netfilter_table o_setuid check_netfilter init_module strstr __this_module logfilter_table sys_call_table In the above strings, a string named as adore.c
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.