Incident Response Report. On June 30, 2004, Hank Law, webmaster at the MacVee Software Company located in Hyattsville, Maryland, detected suspicious activity on its web server. After checking, he detected a sniffer had been placed on Windows.NET Server. He assumed it was being used to re- cord passwords and user names. The server is run on a 960 series Gateway box (2.4 GHz, 1024 MB and 1600 SDRam with a Xeon Pro- cessor) and a WinNT4 operating system. A Black Ice firewall system is used. Hank had updated all software with the most recent patches and last performed maintenance on the system May 1, 2004. TCPDUMP, a sniffer, was running on the network connected to the server.

a. In checking the sniffer's logs, he found that some log entries had been altered. He switched to early logs, and found the following log entry: 05:25:10.695000 0A:E5:4D:F3:00:E10 0E:6B:00:F8:00: 00 250.14.130.1.5112>135.135.75.6.80: 1386754311:1386754311(0) win855. The unusual aspect of the log entry was the source port 5112. This port is not a com- monly used one, and the attacker may have been trying to hide his presence on the compromised computer that he was using to attack MacVee's website. Cur- rently, Hank has not shut the web server down, but he has hardened the access to other parts of the network from the web server, and he added a new sniffer pro- gram to the web box called the Effe Tech sniffer v.3.4. Hank is hoping the hacker will come back and Hank will get more identity information about the hacker. Based on the information provided, complete Part II of the Preliminary In- cident Response Report in Figure 12.9 in the chapter.

b. Identify the probable IP address the at-tacker used to enter MacVee's system.

c. What are the advantages and disadvan- tages of not shutting down the server?

d. Would law enforcement authorities be interested in pursing this crime through the courts?