Hunting the initial vector, Story of a Hack

The first hack of the year came earlier than expected for 2006, only hours into the year and a host fell victim to attackers. The network under attack is laid out something like below. The firewall/snort box is a Sguil sensor that runs snort, captures full content and also TCP session data. The sensor has around 200GB of disk space which is normally good to keep full pcap data for about two weeks. Alerts and session data are pushed up to a central Sguil database server.

The first indication that something was amiss was 100% line utilization on the 2Mb WAN interface, the ISP who supplies the leased line informed us of this. The 10/100 switch is a managed device that runs SNMP, the switch is queried periodically by MRTG to produce traffic graphs for each connected host. From the MRTG graphs we could easily determine which host was hogging all the bandwidth. After logging into the offending Linux host a quick glance at the process list showed an unusual script called cw running....hunting the initial vector via HNS

Linked by shanmuga Thursday, 9th February 2006 7:53AM