THE SCENARIO

You received a call from a new client, Phil’s Awesome Stuff (PAS). PAS is a small company that sells electronic kits and other fun items to customers that like to play with new technology. Their CEO, Dr. Phil Potslar, has called you because the webmaster has reported that the webserver is acting strangely. As luck would have it, PAS is also running Ubuntu 14.04.

After interviewing Phil and the webmaster, you discover that neither of them knows much about Linux. The webmaster has only recently begun using Linux after dropping Internet Information Services (IIS) as a webserver upon learning how insecure it was at a conference. The current system has been up for two months and is built on Apache 2 and MySQL. The web software is written in PHP. The hardware was purchased from a local computer shop two years ago and originally ran Windows 7 before being wiped and upgraded to Ubuntu.

The webmaster reports that the system seems sluggish. A “System Problem Detected” warning message also seems to be popping up frequently. Having completed your interviews. you are now ready to begin a limited live response in order to determine if there has been a breach. Before traveling to PAS, you walked the webmaster through the process of installing snort and doing a basic packet capture for a little while in order to have some additional data to analyze upon your arrival.