Hi all,

I'm a student at a University. Lately we've been experiencing certain problems. Sometimes someone changes the i.p. address of our proxy server, or sometimes the port on which it runs is changed.
The server machine runs Solaris 10.

The common ports open on the server machine are...

1) ftp
2) ssh
3) finger
4) rcpbind
4) http-proxy

and a few others...

I'm not a network administrator... so I do not have access to the server machine. We've contacted our server administrator and are now trying to nab the culprit.

One thing we know is that, he's someone from our internal network. If I do a finger on the server machine I get an internal i.p. from which a root user had logged into the server.

Now, I'm very new to these kind of things and our Network administrator is also not that advanced. Could anyone give any pointers as to how we can nab the culprit.

One more question: Our network administrator is not available frequently, so mostly the scenario is that, I'm on an internal i.p. trying to access the net through the proxy server... and the hacker (who is also on an internal i.p.) chnages the proxy port/i.p. so that he can have all the bandwidth to himself.

Can I find who's doing this without actually logging in to the server machine. I've tried using tcpdump...but I don't know much about using it. Once the hacker has changed the proxy's port/i.p. only his web browser will have active tcp connections with the server. Can i somehow find his machine by analyzing the network traffic.
Thanks for any help.

Hi.

(N.B. I'm assuming here that your proxy host is actually under attack, and that it's not just a weird config issue at play here, but I'm not sold either way.)

If you know the IP from where your attacker has logged in, then it shouldn't be a major problem to find out where the host is. Do a traceroute to the offending IP and find out which router she's connected to.

Some point of interest, though.

1) Your attacker has root on an outward facing server. This is a pretty serious issue, and implies that either the system is vulnerable to a remote exploit which can result in root access, or more likely, that someone has the root password for the system.

2) Why is this system running services like finger?

If you eventually get access to the system (you don't appear to be the admin, so I don't know how likely this is), run 'last' to find out where logins came from (if your attacker has root, though, then there's nothing stopping them from modifying the 'last' database). You might get some joy from running a snoop, to see where network traffic is going, but read the man page first to decide on a decent syntax to filter out legitimate traffic. netstat should show all the live connections to and from the box.

To be honest, though, if there's any doubt about the integrity of the system (especially as root access is involved), then get it off the network, and reinstall-and-patch after doing your forensics.

Dave