Greetings.

I recently put together a box for running an IP chains-based linux firewall.

Being rahter naive about how rapidly the system could get hacked, I opened an Internet-facing interface for testing purposes. The system was compromised in less than 24 hours! and get this - I was logged in watching as the system was attacked and compromised!! consequently, I was able to get the on-site people on the phone and have them drop power to the system, practically on my command.

As a result, I was able to capture their rootkit, both in its pre-installed and it's up-and-running state, and was able to perform a full (if amatuerish =) post-mortem analysis of the system.

Highly interesting stuff! I could grok much of what they were doing, though admittedly some of it was beyond my casual reckoning - as best I could tell the rootkit was automated, searching networks for exploitable systems, implanting itself therein, and periodically reporting back to its owners/operators through email addresses at yahoo.

If anyone is interested (and qualified), I actually have their stuff on a cd, pretty much in toto (I have no way of knowing if they were able to dispose of more than what I was able to bring back from deletion on the ext2 fs).

Interested parties give me a shout at alteridentity@yahoo.com

-James


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/12/9730#9730