MB Kabbalah IChing - Free Software Downloads - ZDNet Asia: MB Kabbalah IChing is a zodiac sign based software that... http://bit.ly/czUQRr
44 minutes ago by fighting_jew on topsy
We have relaunched: What's new at ZDNet Asia?
ZDNet / Insight / Hardware / Story
Old-school UNIX tools help track down hackers
Summary
Catching malicious hackers isn't impossible. With the right tools, you can gather key information to help authorities identify the perpetrators. Learn how to use common UNIX tools to track down these attackers.
Events
Microsoft MSDN/Developer Event
25 Mar 2010
One Marina Boulevard, Microsoft Singapore
IT Architect Regional Conference Singapore 2010
20 - 21 Apr 2010
Singapore Management University, Singapore
The Internet Show 2010
21-22 Apr 2010
Suntec Singapore
You have determined that your network has been breached. There are two standard
approaches on what to do next:
Most organizations decide to close the holes as quickly as possible because the probability of actually catching an intruder is low. But if you can identify the hacker and opt to prosecute, you must gather as much information about the attack as possible. Data such as the hacker's location, the domain and IP address from which the hacking took place, the name of the hacker, and what specific damage the hacker inflicted are all necessary for prosecution. One method of gaining this information is by using tried-and-true UNIX networking tools usually employed in incident-response forensics.
UNIX forensic tools
In forensic analysis, you cannot use any tools that are currently installed on the hacked system, because those tools could have been replaced with Trojan programs. For example, the ps program that displays the process table could have been replaced with a Trojan ps program that displays everything except the process of a running hacker daemon. Whatever tools you decide to use for analyzing evidence should all be freshly installed. Key items you'll want to look at and retain for analysis are:
Various software tools and UNIX commands can help you gather this information. Here are some of the tools that come bundled with most UNIX operating systems or that are freely available on the Internet and are worth familiarizing yourself with:
Use netstat to determine open ports and services
Netstat is the tool to use to determine what ports and services are currently open. When you execute the command netstat -an, you'll see a listing of all the connections, along with their listening ports and the network addresses associated with these ports. The output will look something like this:
TCP 128.88.41.2:1025 140.216.41.2:80 CLOSE_WAIT
TCP 128.88.41.2:2180 140.216.41.2:80 CLOSE_WAIT
TCP 128.88.41.2:1188 140.216.41.2:80 CLOSE_WAIT
Look for patterns such as similar source ports used to connect to different sockets. (A socket is an IP address and port together, such as 206.208.163.15:80.) In the above example, three connections (now closed) were used to connect to the Web server port, all from different source ports. If you discover a server on a particular port that is not normally in use, it's possible that a hacker with root level access installed it for malicious purposes.
|
|
Most organizations decide to close the holes as quickly as possible because the probability of actually catching an intruder is low. But if you can identify the hacker and opt to prosecute, you must gather as much information about the attack as possible. Data such as the hacker's location, the domain and IP address from which the hacking took place, the name of the hacker, and what specific damage the hacker inflicted are all necessary for prosecution. One method of gaining this information is by using tried-and-true UNIX networking tools usually employed in incident-response forensics.
UNIX forensic tools
In forensic analysis, you cannot use any tools that are currently installed on the hacked system, because those tools could have been replaced with Trojan programs. For example, the ps program that displays the process table could have been replaced with a Trojan ps program that displays everything except the process of a running hacker daemon. Whatever tools you decide to use for analyzing evidence should all be freshly installed. Key items you'll want to look at and retain for analysis are:
- A list of open ports and services
- Aberrant packet behavior
- Accurate dates, timestamps, and images of evidence
- Suspicious IP addresses
- Geographic locations of suspect IP addresses
Various software tools and UNIX commands can help you gather this information. Here are some of the tools that come bundled with most UNIX operating systems or that are freely available on the Internet and are worth familiarizing yourself with:
- netstat prints a listing of network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.
- tcpdump prints out the headers of packets on a network interface that match a Boolean expression.
- dig sends domain name query packets to name servers.
- traceroute prints the route that packets take to network hosts.
- find searches for files in a directory hierarchy.
- dd converts and copies a file.
- grep, egrep, and awk are used to process text.
Use netstat to determine open ports and services
Netstat is the tool to use to determine what ports and services are currently open. When you execute the command netstat -an, you'll see a listing of all the connections, along with their listening ports and the network addresses associated with these ports. The output will look something like this:
TCP 128.88.41.2:1025 140.216.41.2:80 CLOSE_WAIT
TCP 128.88.41.2:2180 140.216.41.2:80 CLOSE_WAIT
TCP 128.88.41.2:1188 140.216.41.2:80 CLOSE_WAIT
Look for patterns such as similar source ports used to connect to different sockets. (A socket is an IP address and port together, such as 206.208.163.15:80.) In the above example, three connections (now closed) were used to connect to the Web server port, all from different source ports. If you discover a server on a particular port that is not normally in use, it's possible that a hacker with root level access installed it for malicious purposes.
Transform your business interactions with real-time voice, video and telepresence solutions.
Tech Vendor: Cisco
Tech Vendor: Cisco
ZDNet Asia Live
As Sony camera users, both MTS and M2TS are Sony high definition video file types, which are raw AVCHD videos recorded by AVCHD camcorder...
1 hour 26 minutes ago by tracyjump on Mobile data centers becoming 'mainstream'Found this great little deal calculator http://www.zdnetasia.com/downloa...
8 hours 5 minutes ago by winstoncranford on topsyRT @mistertechblog: I wrote about Nexus One and Touchdown, desktop dock, Bluetooth/USB tethering, ebooks here: http://bit.ly/bRdzx0
14 hours 16 minutes ago by yklee13 on topsy
Read my blog post on getting the most from your Nexus One: http://www.zdnetasia.com/blogs/m...
14 hours 22 minutes ago by mistertechblog on twitterData Centre Operator (Fresh Graduates Welcome to Apply) in ... http://bit.ly/bagYuu
14 hours 46 minutes ago by intmasterfeed on topsy#Cisco #Cloud Cloud on ZDNet Asia: Aussie university joins Cisco cloud ยท Early-adopter criminals embrace cloud... http://bit.ly/d93C8S #TCN
15 hours 49 minutes ago by thetechgang on topsy
RT @3wconsulting: Whitepaper from http://3W.com.au "Outsourcing Your IT Requirements to Philippines" now on @zdnetaustralia & @zdnetasia http://ow.ly/1oY9f
22 hours 36 minutes ago by LeesaAT3W on twitter
Whitepaper from http://3W.com.au "Outsourcing Your IT Requirements to Philippines" now on @zdnetaustralia & @zdnetasia http://ow.ly/1oYbA
22 hours 37 minutes ago by itemployment on twitter
Whitepaper from http://3W.com.au "Outsourcing Your IT Requirements to Philippines" now on @zdnetaustralia & @zdnetasia http://ow.ly/1oYbz
22 hours 37 minutes ago by brucemills on twitter
Zdnetasia.com Estimated Worth $178,365 USD. Daily Ad Revenue:$244 USD, Daily Views:81,445 Pages... - http://www.haplog.com/www.zdneta...
1 day 20 minutes ago by Haplog on twitterThe receivers don't transmit back to the satellite. Unless there is a phone line attached to the receiver, they don't have any wa...
1 day 2 minutes ago by bessellbrowne on Apple to join the geolocation craze?whatever little understanding I have we 'll only progress toward end of the world if we use HPCs to lenthen life of human being. Huma...
2 days 9 minutes ago by abhi32002@gmail.com on High computing promises elixir of lifeThanks for the knowledgeable article on SDDs. Allas...when all this reasearch will happen in Indian Universities. Hope the new bill on Fo...
2 days 21 minutes ago by abhi32002@gmail.com on APAC HPC users eye solid-state drivesIt was a good article. This brings a good opportunity for Indian IT firms to come up with new solutions in this field. HPC can become a b...
2 days 40 minutes ago by abhi32002@gmail.com on High computing most-wanted job in AsiaCOL KR DHARMADHIKARY(RETD) its very late to reply the link, but if it is still alive and looking for opportunity, i would like to know th...
2 days 37 minutes ago by deb021280 on Education takes off in rural India, helped by PCs
High performance computing (HPC) most-wanted job in Asia http://bit.ly/9vFC3i (via @zdnetasia) #singapore
2 days 54 minutes ago by mySingapore on twitter
RT @zdnetasia: EMC COO, Pat Gelsinger, on bridging gaps in the organization and its cloud ambitions in Asia. (cont) http://tl.gd/i5jjd
2 days 43 minutes ago by mistymaitimoe on twitter
EMC COO, Pat Gelsinger, on bridging gaps in the organization and its cloud ambitions in Asia. http://bit.ly/9etOZW
2 days 47 minutes ago by zdnetasia on twitter
Asian SMBs need to pay more attention to disaster recovery planning http://bit.ly/bDet08 via @zdnetasia
2 days 3 minutes ago by asiapacsolution on twitterAsian SMBs need to pay more attention to disaster recovery planning http://bit.ly/bDet08
2 days 17 minutes ago by zdnetasia on twitter
[TECH] URL Shorteners slow Web redirection. - http://bit.ly/bySnWK @zdnetasia
3 days 316848 seconds ago by danielcktan on twitter
URL shorteners are great but they can slow web redirection & you pray it would never go down http://bit.ly/bySnWK via @zdnetasia
3 days 28 minutes ago by angahsin on twitterURL shorteners slow Web redirection. http://bit.ly/bySnWK
3 days 57 minutes ago by zdnetasia on twitterChinese agencies cry foul over Google. http://bit.ly/by6rwV
3 days 3 minutes ago by zdnetasia on twitterall of sg's isps have been practising compulsory invisible proxy for all home subscribers at their backend since many years back alre...
3 days 21 minutes ago by melvinchia on Web filters mean bad news for businessit is not to good for china.
Proactol
Very good explanation of JMX
4 days 11 minutes ago by Babith B on Managing applications with JMXThe reaction to a report issued Tuesday by Flurry Analytics managed to completely overlook some interesting news--the Android-based Motorola Droid outsold the original iPhone over the same period of time following their respective launches--to focus instead on the sales numbers for the Nexus One.
5 days 15 minutes ago by lonemavericks on diggsAnother ZTE story....
5 days 17 minutes ago by Moderate Your Greed on Philippines opens bid for final 3G licenseWe at www.fifosys.com have also seen a growth in IT outsourcing and anticipate it as a growing field.
5 days 50 minutes ago by sarah Jane on Companies' outsourcing spend to increaseI agree with you. The iSiVaL is super portable and TVs can't expand their image size. I recorded a video that might bring some ideas to...
5 days 20 minutes ago by Jesse B Andersen on Buying a projector? Try an LED TV insteadhermm... he deserved it.. he shud not talk abt sensitive things like tat, well, he shud think twice before saying all those things, event...
5 days 58 minutes ago by ... on Facebook user charged in MalaysiaPassword manager tools are potential security threat. Criminals who hack into the computer can use the password manager to log onto any s...
5 days 59 minutes ago by ohanae on What defaults should random password generators use?I've found the cross platform utility unetbootin to be rather handy for this kind of thing as well.
5 days 33 minutes ago by Jim on Use Live USB Creator to install Fedora 12 from a USB stickKeep up with ZDNet Asia
Linkedin 
RSS Feeds 
Newsletters 
Twitter Inside ZDNet Asia
Sponsored
The Desktop Virtualization Revolution is here!
Find our more with Citrix Simplicity is Power
2010 IT Salary & Skills Report
Find out the salary range of IT professionals. Join activeTechPros for free access to the report.
The Internet Show 2010, 21-22 Apr 2010, Singapore
FREE admission for visitors who pre-register online. Register Today!
