Essay Writer » Essay Blog » Research Paper Help » Identifying Network Intrusions – Using Virtual Machine

Identifying Network Intrusions – Using Virtual Machine

Jack Jehosaphat is the CEO and network administrator for a small software development company. Mr. Jehosaphat contacted Palindrome regarding suspicious behavior on his server. He believes that someone has violated company policy by accessing accounts and information on the server to which the user had no legitimate authority.

The company has four employees: Fred Mertz, Ethel Mertz, Lucy Ricardo, and Ricky Ricardo, all programmers.  Fred and Ethel are long time programmers and UNIX users that have been with the company for 10 years.  Lucy and Ricky were recently hired as temporary employees to work on a contract to provide source code for a governmental agency. Mr. Jehosaphat has been working with UNIX for the last three years.

Ms. Wilde met with Mr. Jehosaphat at his office to discuss the matter; a few photographs of his office and computer setup were taken at this meeting. (see photo at the end of this document).

During the meeting, Ms. Wilde asked Mr. Jehosaphat some simple questions regarding his employees and company policies regarding access. Here are his answers:

 

  1. Everyone has an account on the server. User access is restricted to the user’s home directory only.

 

  1. Employees use ssh to connect to the server to do development work. No one is allowed to share account information, or to access another user’s information or files. Such behavior would be an immediate cause for termination according to their company contract.

 

  1. The computer configurations on the network are as follows:

 

  1. Server -• Ubuntu 10.10 server – 192.168.49.128 2. Fred Mertz – Linux – 192.168.49.130 3.   Ethel Mertz – Linux – 192.168.49.133 4.   Lucy Ricardo – Windows XP –  192.168.49.131 5.   Ricky Ricardo – Windows XP – 192.168.49.134 6.   Jack Jehosaphat – Linux – 192.168.49.132

 

  1. Employees use email to communicate. Note there’s a file named ‘mbox’ (a simple text file) in each user’s home directory.

 

  1. Mr. Jehoshaphat had some trouble setting up access over samba for the Windows users and setup a public (no password) access directory instead.

 

  1. Mr. Jehoshaphat indicated that no employee has ‘root’ (sudo) access on the server except himself (with one exception, keep reading).

 

  1. At Ms. Wilde’s request, Mr. Jehoshaphat set up a non-employee account named ‘expert’ with root access (via sudo) so that you can access the server. The password is ‘expert1111.’

 

  1. Mr. Jehoshaphat was asked if he ever used the password on the server as a password on another account (Gmail, Yahoo, Facebook, etc.). He said ‘never.’
  2. When asked why he thought something was awry, Mr. Jehoshaphat indicated ‘that he thought he saw something weird in the logs, and one time he ran ‘who’ and he thought he saw the same IP address listed twice, but then it went away.’ I asked him what ‘log’ he was talking about, and he couldn’t remember…

 

Here is the text from Mr. Jehoshaphat that provides you with the authority to access any and all files on the server:

 

“TO WHOM IT MAY CONCERN:

 

RE: Incident response

 

I grant Erica Wilde and her agents at Palindrome Consulting, any and all rights necessary to perform computer operations, and access to all files and directories, on my server.

 

Sincerely,

 

Jack Jehosaphat”

 

Identifying Network Intrusions Tasks:

 

Your task is to identify any behavior that violates the company’s policies as described above. Note that what you’ve been provided with is a ‘toolbox.’ As with any job, you will not use all of the tools. You must apply background knowledge (provided above), some of which may be relevant, and some not (just like real life).

 

Note you’ve already been provided with some hints (mbox, ssh – where does ssh authentication information get written?).  Also, review the usual suspects such as account information for instance; there are more than two files you’ll need to review.

 

Deliverables:

 

A professional quality technical report written in two sections. The first is a one paragraph summary written in non–technical language that explains what you were requested to do, what you did, and your results.

 

The second part will be your technical analysis. Provide an explanation of the steps you used to identify the ‘perpetrator.’ You should provide screen shots, or copies of text, of the relevant portions of the information you found that points to the violations, but you must also provide an explanation of the screen shot or text, and why you believe the information points to a violation of policy.

 

I want to see a timeline of what happened. Create a table in your report which should note the date/time, the person involved with the activity, and the activity. You do not need to note everything that everyone did. There’s some superfluous stuff and it’s your job to figure out what’s relevant and what is not. There’s an incident that occurred that violated company policy. Figure out what happened, identify the culprit, then identify the evidence trail.

Example: Timeline (made up):

 

Date Time Person Activity Intepretation 12/1/2015 9:45AM Ricky Emails Jehosaphat Ricky is mad that his SAMBA is not working, complains to Jeo.  Included screen capture in appendix of the email (Exhibit 1) 12/1/2015 9:46AM Jeo Emails Ricky Jeo says ‘stuff it.’ Included screen capture in appendix of the email (Exhibit 2) 12/1/2015 9:47AM Ricky Emails Lucy Complains that Jeo is ignoring him. Included screen capture in appendix of the email (Exhibit 3) etcEtcEtcEtc

 

 

There aren’t a lot of files for the users in the scenario, but there is a lot of ‘activity.’ I want you to find it all, including but not limited to:

 

  1. Who is the user in violation of the company policy?

 

  1. How did this user gain unauthorized access? When? If more than once, indicate as such. Provide evidence.

 

  1. What did this user do once they acquired access? Explain how you identified this behavior. Whoever it was did LOTS of stuff.  Prove it.   Note: Some of what you will find will clearly indicate what the perpetrator did, other information may only suggest at what the perpetrator did. Indicate as such. Include screen shots or files in the Appendix of your report. Label them “Exhibit 1”, “Exhibit 2”, etc. and refer to them as such in your report.

 

  1. Did the user acquire any information to which they had no rights? Explain how you identified this behavior.

 

 

Summary You should provide a summary description of the events that occurred using the timeline you created. Include that at the end of your report.

 

 

 

Here’s a photo of Jeo working in this office the day after the incident occurred

Last Updated on April 25, 2019

Don`t copy text!
Scroll to Top