Saturday, January 25, 2014

Daily Blog #217: Sunday Funday 1/26/14

Hello Reader,
            If you watched the forensic lunch this week you heard Hal Pomeranz talk about his newly released tools and scripts with a focus on Linux analysis. So let's extend the conversation into the challenges in dealing with Linux servers as our prior Linux Sunday Funday focused on Xwindows usage.

The Prize:
A $200 Amazon Gift Card



The Rules:
  1. You must post your answer before Monday 1/27/14 2AM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
You have a Redhat Enterprise Linux v5 sever running an eCommerce site.  The server was breached as the attacker logged in as the root user two weeks ago and linked the shell history file to /dev/null. What other artifacts can you rely on to determine what the attacker did over the past two weeks?