Forensics; Getting to the bottom of a security breach

It all started when my friend Mac sent me an urgent email asking for help in tracking down a security incident (see Sidebar 1). Mac was covering for the lead admin on the affected site and was in a bit over his head. The abuse contact for his site had received a complaint that someone from the site was harassing people in an Internet relay chat room (see Sidebar 2). Apparently, BNC was being used to mask the real IP address of the offender. The /proc filesystem is handled differently on Solaris than on Linux, which brought up some questions for RFP (see Sidebar 7). I recalled that [Peter Baer Galvin] had written a great article about the tools available in /proc (see Resources) and pointed RFP in that direction (see Sidebar 8). Back issues of SunWorld can be very useful! Using the /proc tools, RFP proceeded to find the location of the BNC proxy (see Sidebar 9). He also discovered that ls wasn't behaving properly, which suggested that a Trojan ls had been installed. I later confirmed with RFP that the ls -l command gave no output, when it should have at least given total 0 if there were no files to be listed in a directory. Because RFP had previously remarked that ps was not helpful, it looked like a rootkit was installed on the system.