Team # and Member Name(s)
Course-Section ID
Date of Report
Incident Response Report
Date/Time of Attack Start:
N/A
Date/Time Attack Discovered:
03/24/2022
Attacker Source IP Address (If Known):
N/A
Target System Name/IP Address:
Xubuntu
Target Port or Service:
SSH keys
Result of Attack:
Access to the root user and system was acquired by an unauthorized user. There is evidence of compromise
throughout the system in edited files and services. The system can no longer be considered trustworthy and more
securities need to be put in place.
Vulnerability that Allowed the Attack:
The attackers were able to get into the system by an unauthorized addition of ssh keys found in
/root/.ssh/authorized_keys. Only one key was found so there must be another way that they can gain access that is
unknown to our team at this time.
How Discovered:
When searching for how the system had been compromised, we checked the authorized_keys file to see if anything
had been added without permission as there was no evidence of an added user.
How Contained:
Using nano, the unauthorized ssh key was edited, small parts of the key were deleted but the file was left in to see if the
attackers would attempt a different route or assume that something on their end is ineffective.
Remediation Actions/Controls:
A further dive into the system and ssh access is the main focus on the Xubuntu system. The authorized_keys file will be
watched over more closely to see if additional ssh keys are added.
Result of Remediation:
One point of known access has been removed in hopes that the system cannot
be accessed. More research is required.
