You have been contacted by management at "Compromise.com". Complaints have been made to various spam-reporting services that spam has been seen from the outfacing NAT IP number for "Compromise.com". The company suspects that one or both of their webservers has been compromised.
You have been given internal access to their LAN (192.168.128.*). The two webservers' IP numbers in the LAN are 192.168.128.10 and 192.168.128.11.
The company would prefer that you do a clean investigation without talking to their technical people, so you don't know anything about the actual hardware or software involved.
Your task is to investigate and observe from today until Wednesday, February 9th at noon for any compromises or other anomalous behavior by either of the servers; if you find any compromise, further investigate it and determine what has occurred and what can be done to remediate the situation. However, you are not to actually fix the situation, only record your findings.
Your Work Product:
Bear in mind that with live forensics that both computer state and cybercrime activity are dynamic; whether or not you have had any success in the early part of the investigation week, you will want to recheck the state of the servers at various times to see if there are changes. Also remember that there 27 other people attempting the same investigation, so you most likely will see their footprints also.
(1) Email the "results.txt" file to me at "langley AT cs.fsu.edu".
(2) Print out the write-up of your experiences, and give that to me at the beginning of class on Feburary 10th.