Discovery, Eradication and Analysis of an attack on an open system: Welcome to the Jungle

In February 2003, the computing system of a small school in the Midwest was compromised by the installation of a root kit. My role in the incident was as the Senior Network Administrator and operations manager. Section one of this paper begins with a picture of the school, its history, and its policies regarding the use of computing and information resources. I will present the technical architecture of the system and the pre-existing security measures that were in place. Section two relates how the compromise was discovered and analyzed, and what procedures were followed to accomplish initial recovery, and to restore critical services as soon as possible. I also look at how further forensic analysis was carried out to make sure the system was as safe as possible from any immediate reoccurrences of the attack. Section two includes a brief technical analysis of the compromise itself. The appendix includes the actual code and scripts used in the exploit. The third section of this paper relates the procedures and policies that were put into effect to increase the security of the system, post attack, and how those procedures might affect the way the system will be used in the future to conduct the business of the school.