
Notes:
The first event involved a phone call from a parent organization regarding an apparent break-in of our DNS server overnight. The parent CERT monitored our traffic remotely with an IDS of their own. We monitored our own traffic using an IDS of our choosing and Shadow. The parent CERT wanted us to examine what evidence we may have had concerning the break-in.
For starters, we to examined tcpdump output for the time of the reported event to determine out what happened.
So, tcpdump records were dumped for the site:
tcpdump –r tcpdumpfile ‘hostile-IP and compromised-IP’
where hostile-IP and compromised-IP were the actual IP’s.