Dead Linux Machines Do Tell Tales

by James Fung
Sept. 1, 2017 0 comments SANS Institute forensics

It was in January of 2002 when we finally recognized the signs of disaster – the IDS told of anomalous activity on port 22 both inbound and out. Where there was little or no traffic before, we now see dozens of SSH connections to (and from) various foreign nations. We didn’t know what they were doing because SSH afforded them an encrypted link, but we did know that the center of all this activity seemed to be one of our machines on site