LOTRZ2
Answers by Joe Matyaz
Dear Mr. Skodo,
1.) What two mistakes had Gollum/Smeagol and/or his tool made in this attack?
I believe that Gollum/Smeagol has made several mistakes. There are two world readable files missing from the /tmp directory. I have no direct proof but I'm pretty sure that he deleted Buy_Malware_by_Ed_S.txt and Hack_Counter-Hack_Training.mov just to irritate you. You will eventually need to restore these files from your backup tapes. Mr. G. Smeagol also said that this issue is only in the /tmp directory and you never mentioned this to him during your conversation. The whispering to himself was also a mistake. He should work harder at not revealing his intentions inadvertently. The inode counts (5192, and 2020) for /tmp and /tmp/.. don't agree with the number of files in those directories. This indicates that something unusual is taking place. Mr. Smeagol should also have used his tool to alter the display of the /tmp/.. directory so that root was the owner instead of himself. This would have stopped you from questioning him about the unusual ".. " directory.
2.) Suppose Skodo is allowed to reboot the box. How can Skodo determine what really happened? What tools should he use?
If you are permitted to reboot the box some type of file verification should be used. By mounting the file system from another copy of Linux (preferably one that is running from a CD) analysis can be performed to determine if any of the Middle Earth files have been altered. Comparing a MD5 or SHA1 hash of Kernel files with those from other known good copies would be a start. Known good copies of the Kernel files, or just their hashes, can be found on the Internet. However, with Middle Earth's unreliable Internet connectivity given the war between good and evil that is taking place, you may end up having to create hashes of the Kernel from you backup tapes or preferably the original installation CDs. You could also review all of the startup scripts for the Middle Earth file system and look for any spurious items that may have been added.
3.) Now suppose Skodo is unable to reboot the Middle Earth file server. What tools should he use to determine what is really happening without shutting the box down or rebooting it?
If a reboot is not possible you could use your second Linux box, if it has enough disk space, to restore the entire Middle Earth server from backup tapes and boot the second Linux box with bootable CD and perform your investigation while leaving the Middle Earth file server running. I do realize that electrical power in Middle Earth is a scarce commodity and the use of a second box is probably not feasible. Therefore I would suggest you begin by reviewing all of your syslog entries. Gaps in the logs or other suspicious entries should be thoroughly investigated. The SANS System Administrator Intrusion Discovery Cheat Sheets for Linux has a number of commands that might help to identify some processes or open network connections that should not be present. A review of all accounts and scheduled tasks should also be performed. There is a significant chance that none of these activities will provide any useful information. Before continuing you should speak with the Legal Department, Human Resource, and of course, the King, to discuss the information you have already gathered. You must get their permission to monitor Mr. Smeagol before you continuing with your investigation. I would suggest you review his shell history and search for any files or folders that he owns. Installing a keystroke capture device (Key Catcher http://www.thinkgeek.com/gadgets/electronic/5a05 is my personal favorite) on his workstation may also help. Audio and video surveillance of his work area might also be employed.
4.) Short of storing it on a chain around his neck, how can Skodo protect his kernel from being seized by a user on the machine?
At this point you should re-build the Middle Earth sever from it's original distribution media and apply all of the relevant patches/updates before permitting any other Hobbits access to the server. A sound security policy should also be created and strictly followed. You may also want to consider hiring Ian McKellen. He might be very helpful in dealing with future attackers.
There is a web site dedicated to movie stuff that you might like.
Enjoy,
--Joe Matyaz "Joe.Matyaz@FEPOC.CareFirst.com"
