Team # and Member Name(s)
Course-Section ID
Date of Report
Incident Response Report
Date/Time of Attack Start:
03/20/2022
Date/Time Attack Discovered:
03/26/2022
Attacker Source IP Address (If Known):
N/A
Target System Name/IP Address:
Xubuntu
Target Port or Service:
Users
Result of Attack:
A various number of files and logs have been continually deleted as we searched for potential IOCs within the system.
Vulnerability that Allowed the Attack:
An unauthorized user named “Nobody” was added to the system with access to parts of the system.
How Discovered:
When checking /var/log/auth.log there were multiple sessions being opened and closed by a user under the name of
Nobody.
How Contained:
Access was denied to the user through the use of command usermod -L nobody. The account has been locked until
further notice and monitoring will continue of this particular user.
Remediation Actions/Controls:
All of the other users are being checked as well to confirm that there are no other paths of access to our system.
Result of Remediation:
There should no longer be a way to access the system or root user through
means of users on the system.
