I have a rat problem at home. It has been eating my bread and most recently, it has eaten its way through a door. I hate rats. I wish that hunting rats was as easy as hunting hackers. I was brought in on an incident at work today. Seems like one of our servers had recently been compromised. Any organisation with a sufficiently large server infrastructure needs to be ever vigilant of attacks.
So, I got my grubby hands on the KVM terminal of the server and started nosing around. Very quickly, I found that it was making two network connections, one to an IRC server and another attack on a remote web server. This is interesting because it is a classic bot-net scenario where the bot sits in the background and connects to an IRC server in order to receive commands from its masters.
Then, I had to hunt down the offending background bot programme. That took a little snooping around the proc filesystem of the server to track down the application. I loved the filenames that the hacker used for its scripts. Some of those names were really creative to say the least. The final step was to track down how the hack was initiated. This was definitely something planted ages ago before being turned-on recently.
At one point, I commented to a colleague that it felt fun playing CSI on the server. As usual, the ultimate flaw in the security lay in the system admin. While nosing around in the system, I got a feel for the competency of that particular server’s sysadmin. There were several things done, that should not be done. So, let’s just hope that they take our advice to heart and fix the flaws.
As for the rat at home. I think that I’ll need to try to track down its entry point into the house. Then, I can plug it and kiss it goodbye.