As part of a course I'm doing, he presents a case study. I am a bit stuck and I do not know where to find other information. If anyone could point me in the direction, I would appreciate it.
In this case study, a network using Red Hat Linux mail and file servers, a proprietary SIEM server, and multiple Windows 2012 servers were attacked.
It is noted that:
- VMProtectss & NetCat have been installed
- There was streaming traffic to a URL with the end port 9091
- Ports 9091 and 9092 have been opened and only one packet has been sent to a URL ending with 9092.
- Linux servers have not been updated recently and have not been injected.
- No data changes took place
From what I can understand up to now, VMProtectss is a Windows-based cryptominer and NetCat could be a C2 element that establishes a TCP / UDP connection.
I think the only package at 9092 was a confirmation that NetCat was installed and opened the connection for an extended intrusion.
I do not know what streaming traffic to 9091 could be.
The questions they ask are:
- What could happen on Linux servers
- What was the impact on the network and was there a data breach?
- what methods would be taken to remove the malicious code
I do not expect anyone to answer these questions for me, but rather to know where I can go to find more information.