unix linux investigation by yuli chen rajesh menon & joe meslovich 2002 fall
TRANSCRIPT
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
1/21
Procedures in IntrusionInvestigation of a
UNIX/Linux Host
CS-585F: Co!uter-"e#ated La$ andCo!uter Forensics
Fa## %&&%
'()u-Li C*en
"a+es* ,enonoe ,es#ovic*
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
2/21
.a#e of Contents
Abstract iii
Acknowledgements ivIntroduction 1
Signs of a Compromised
UNIX/LINUX Sstem 1
!as "o #reserve $vidence %
Investigation of a Linu& Sstem '
Collection (f $vidence '
Analsis (f $vidence 1)
Summar 1*
+ibliograp, 1'
ii
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
3/21
0stract
UNIX and Linu& sstems are vulnerable to various forms of network attacks-
.epending on t,e diligence of t,e people administering t,ese sstems t,e can eit,er be
e&tremel eas or e&tremel difficult to gain unaut,oried access to- ",is document is a
case stud on ,ow to perform an intrusion detection analsis on a UNIX ,ost in general0and more specificall a Linu& sstem-
iii
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
4/21
0c1no$#edgeents
!e would like to e&press our sincere t,anks to .r- Abug for ,is ,elp on t,is
proect- !e would also like to e&tend t,anks to t,e +ridgewater College Information
"ec,nolog Center for t,e use of t,eir facilities and e2uipment t,roug,out t,is process-
iv
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
5/21
Introduction
UNIX does not ,ave good reputation for reliabilit or securit 34allmann0 15556-
Alt,oug, UNIX does offer some effective securit features suc, as login and user accounts
w,ic, are saved in t,e /etc/passwd file0 access control wit, a granularit of owner0 group0 and
world0 and keep log files7usr/adm/lastlog, /var/adm/utmp, /var/adm/wtmp/, /var/adm/acct-UNIX sstems directl connected to t,e Internet are often subect to ,acking attempts 38ruse 9
:eiser0 );;)6-
",e skill and knowledge to investigate a compromised Uni& sstem and t,e abilit to
respond to a computer securit incident ,as become essential for bot, UNIX users and forensicinvestigators-
",e contents of t,is document will begin wit, looking for t,e signs of a compromised
UNIX sstem0 and t,en proceed to preserve and gat,er evidence- After collecting informationand seiing t,e data we need0 t,e ne&t step is to anale t,e file sstem to look for modifications
to data and review log files to e&amine signs of intrusion-
",is document will also include an intrusion investigation of a server owned b t,e A+C
Corporation- ",e administrators of t,e sstem ,ave seen log evidence to suggest repeated
attempts to gain access to t,e server from unaut,oried ,osts- Included will be t,e steps t,at t,einvestigators c,ose to take in t,is particular investigation0 and an analsis of t,e outcome of t,eir
efforts- A recurring concern of t,e investigators will be t,e fact t,at t,e server was a production
server0 and t,at t,e administrators would not allow t,e server to be taken offline during t,e
investigation-
Signs of a co!roised UNIX/Linux s(ste
1. Examine log files for connections from unusual locations, or other unusual activity.
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
6/21
",is file in t,e /var/log director contains binar information for ever user currentl
logged in- ",is is onl useful to determine w,o is currentl logged in- A wa to access
t,is data is eit,er t,e who command0 or t,e wcommand-
wtmp
$ver time a user successfull logs in0 logs out0 or our mac,ine reboots0 t,e wtmpfile
in t,e /var/log director is modified- ",is is a binar file= t,e tool used to obtain usefulinformation is last-
secure
Some versions of UNIX 3
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
7/21
will set a network interface in promiscuous mode- .etecting an interface in promiscuous
mode does not necessaril mean t,at an intruderBs sniffer is running on a sstem-
%. Examine files run !y &cron and &at'.
Intruders ma leave back doors in files run from cronor submitted to at- ",e cron and atcommands are used to sc,edule commands and processes t,at repeat at specified intervals-
",ese tec,ni2ues can let an intruder back on t,e sstem 3even after ou believe ou ,ad
addressed t,e original compromise6- Also0 verif t,at all files/programs referenced3directl or indirectl6 b t,e cronand atobs-
# at l# crontab -l
. #heck for unauthori)ed services.
Inspect /etc/inetd.conf or /etc/xinetd.conf for unaut,oried additions or c,anges- In
particular0 searc, for entries t,at e&ecute a s,ell program3for e&le0 /!in/sh or /!in/csh6and c,eck all programs t,at are specified in /etc/inetd.conf to verif t,at t,e are correct
and ,avenBt been replaced b "roan ,orse programs- Also c,eck for legitimate servicest,at ou ,ave commented out in our /etc/inetd.conf- Intruders ma turn on a service t,at
ou previousl t,oug,t ou ,ad turned off0 or replace t,e inetd program wit, a "roan
,orse program-
*. Examine /etc/passwd file.
C,eck t,e /etc/passwd file on t,e sstem for modifications to t,at file0 and look for t,e
unaut,oried creation of new accounts0 accounts wit, no passwords0 or UI. c,anges
3especiall UI. ;6 to e&isting accounts- >or e&le0 we can usestat /etc/passwd to look at access and modification information0 also use
cat /etc/passwd to s,ow t,e contents of t,e file-
+. #heck system and network configuration.
>ind an unaut,oried entries0 especiall DB3plus sign6 entries and inappropriate non7
local ,ost names in /etc/hosts- >urt,ermore0 confirm t,at t,ese files e&isted prior to anintrusion and were not created b t,e intruder-
. Look everywhere for unusual or hidden files.
>iles t,at start wit, a period . and are normall not s,own b ls can be used to ,ide tools
and information- A common tec,ni2ue on UNIX sstems is to put a ,idden director in a
userBs account wit, an unusual name0 somet,ing like EB or --B or --F4B- ",e findprogram can be used to look for ,idden files0 for e&le?
# find / -name .. print xdev# find / -name .! print xdev " cat v
G
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
8/21
1-. Examine all machines on the local network.
@ost of t,e time0 if one ,ost ,as been compromised0 ot,ers on t,e network ,ave been0
too-
3C$
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
9/21
!,en UNIX sstems are s,utdown wit, t,e shutdown command0 all services are cleanl
s,utdown and cac,ed file sstem buffers are flus,ed0 data is written to disc and can be captured
as part of sstem memor image-
0ideo
",e current screen can be captured and provide useful information0 and t,at information is stored
in
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
10/21
It is possible for an attacker to mess wit, t,e routing tables and even ,ack t,e address resolution
t,at maps an $t,ernet cardBs @AC addresses to an I# address 38ruse 9 :eiser0 );;)6- !e can
use netstat to displa t,e routing tables and arp to capture t,e address resolution tables-
# netstat rn
# arp v
!e can capture all of t,is data in one file along wit, date command to timestamp t,e action-
# date netstat p netstat rn arp v1 suspect.netstatus.txt
6unning processes
Uni& supplies a number of utilities t,at provide information on t,e set of all running processes or
provide details on a specific running process- ",ose utilities are?
ps .isplas a list of all running processes wit, details about t,eir conte&t and state
last, w, who 4et listings of logged in users0 prior logins0 etc
uptime S,ows current processing load and ) previous load values- #rovides an
understanding of current and recent activit-
top Useful diagnostic tool w,en sstem is running slowl- #assword cracking tools will
s,ow up clearl wit, top-
lsof #rovides a list of all currentl open files and t,e processes t,at ,ave opened t,em-
fuser Identifies w,ic, processes are using a specific file or network socket-
strace List all sstem calls being made b a running process-
truss, ktrace $arlier versions of sstem call trace-
ltrace Librar routine trace-
38ruse 9 :eiser0 );;)6
",e /proc director is a pseudo7filesstem t,at provides a structured interface to /dev/kmem.$ver process in memor ,as a director in /procassociated wit, it named after its process I.
3#I.6- At t,e time of t,is writing0 no attacks t,at ,ide / proc entries ,ave been reported0 making
/proc a more reliable guide to currentl running processes t,an t,e commonl ,acked ps utilit-
K8ruse );;) ou s,ould collect a 2uick list of t,e #I. directories in /proc so t,at ou cancompare it later wit, t,e output of ps. If a process is missing from t,e ps output t,at does appear
in /proc,t,at is a clue t,at psmig,t ,ave been troanned-
# ls d /proc/0-3 suspectproc.txt
Signs of ,ostile processes?
An discrepanc betweenps, top, and /proc77#I.s t,at appears in top or /procbut not ps
ma ,ave been deliberatel ,idden-
Unrecognied commands0 especiall ones t,at start wit, a.or ./ are clear indications t,at t,e
application was started manuall-
.aemons running more t,an once t,at s,ould be running onl once0 suc, as inetdM",at
means t,e second one was started manuall- ",is is usuall a sign of a troanied version-
*
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
11/21
:ig, uptimes 3,ig, sstem utiliation6 and especiall a process using an unusual level of
sstem resourcesMSome processor intensive program suc, as crptanalsis0 bogus I
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
12/21
Command on t,e suspect mac,ine?# cat /etc/passwd /etc/s*adow " nc 52.5$6.0.2 50000 -w7
",e nce&ecutable running on t,e listening ,ost runs until it receives a connection and
t,en t,e connection is broken- At t,is point t,e e&ecution stops and t,e output file isclosed- ",e 7wG option on t,e transmitting ,ost means to wait G seconds after t,e data
,as been sent and t,en timeout-
2. Log the investigation steps carried out on the suspect system.
Command?# script investigation.txt
",e scriptcommand ensures t,at evert,ing done on t,e suspect sstem console is
documented into a file 3investigation-t&t6 for evidentiar value- ",is p,ase is important tocarr out t,e investigation as met,odicall and carefull as possible- ",e file would
enumerate t,e sstematic flow of commands used on t,e suspect sstem to elicit pertinentinformation- ",is is also important to convince t,e management for a need for response
capabilit if a securit breac, is discovered from t,e investigation-
". 7aintain a 8ournal to enumerate the results of investigation.
",e findings from t,e commands run or t,e steps taken in t,e investigation are clearl
documented so as to s,ow t,e logical development of t,e investigative process and to
function as an aid for refres,ing t,e memor and making t,e investigative report-
$. 0erify the date and time of the suspect system and determine the 954 name and :4
version of the system.
Commands?# date8 # uname a
Commands t,at make t,e current time and t,e ,ostname t,e first two items to appear in
t,e script file in t,e suspect sstem- ",e sstem time is furt,er noted in t,e ournal
maintained b an investigator- An discrepancies between t,e sstem clock and t,e realtime would ,ave been noted- ",e second command would also give information about
t,e operating sstem for instance t,e version of t,e kernel for t,e particular Linu& (S-
%. :!tain the screenshot of the suspect system's desktop.
Command?# xwd displa, local*ost0 root screens*ot.xwd
",e screens,ot of t,e suspect sstem desktop is obtained wit, t,e &wdO command and
cop is sent to t,e collection sstem using t,e netcat command- A program suc, as t,e
P
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
13/21
Linu& grap,ics editor 4I@# will ,ave to be used to convert t,e file from t,e &wd format
to a more usable format suc, as peg-
. 4ave the copies of the suspect's password and shadow files to the collectionsystem.
Command?# cat /etc/passwd/etc/s*adow " nc 549.576.$.: 50005 w7
",e password and s,adow files are saved and t,e copies are sent to t,e collection sstem
using t,e netcat command-
*. :!tain the copies of the suspect's normal memory and kernel memory files to the
collectionsystem.
Command?# dd bs)5024 ; /dev/mem " nc 549.576.$.: 50002 w7# dd bs)5024 ; /dev/kmem " nc 549.576.$.: 50007 w7
Since t,e Linu& considers evert,ing as a file it makes it eas to cop and save t,e
contents of t,e sstem memor-
+. 6un the command that sends the date, details of processes with network connections, the
kernel routing ta!le and the address resolution protocol to the collection system.
Command?# date netstat p netstat rn arp v1 " nc 549.576.$.: 50004 -w7
",e network state provides important information on bot, t,e current networkconnections and t,e listening processes- ",e commands ,elp t,e investigators to know
about possible running processes left b a ,acker or gives details about an unaut,oried
connections taking place- ",e dateO command records t,e date w,en t,e commandswere run in t,e script file - ",e netstat JpO command gives t,e processes associated wit,
t,e different network connections- ",e netstat JrnO command would s,ow t,e kernel
routing table- ",e arp JvO would give an alternate view of t,e routing table-",isinformation is copied to t,e collection sstem-
. Looking for unusual running processes.
A series of steps are taken to use some utilities enumerated below0 to provide valuable
information about all running processes- ",e task of t,e investigation team is to capture
t,e state of t,e suspect mac,ine and get a list of all open files- ",en t,e team tries tocorrelate t,is information wit, t,e verbose netstatB captured earlier-
i6
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
14/21
Command?# uptime
",e command finds ,ow muc, time t,e sstem ,as been running after its last reboot-
",e idea is to c,eck to find evidence of a sstem compromise as t,e ,acker mig,t re2uire
a reboot to start some processes- $lse it mig,t also point to a denial7of7service attack ast,e sstem mig,t ,ave cras,ed in panic-
ii6 Information about w,o is connected to sstem remotel
Command?# w*o
",e command c,ecks t,e users logged in to t,e sstem via t,e telnet or t,e ftp services-
iii6 C,eck on t,e process t,at takes t,e ma&imum resources of t,e sstem
Command?# top
",e command provides t,e real time displa of t,e C#U7intensive processes- It is a
diagnostic tool w,en t,e sstem is running slowl- #assword cracking tools will s,ow
clearl wit, t,e topB command- If t,e team detects an process utiliing t,e C#Uresources in an out7of7t,e7ordinar fas,ion t,at can potentiall point to a sstem securit
breac, t,en command like straceB or ltraceB or fuserB would be run-
",e stracecommand? It places a Sstem Call "race- It lists all sstem calls being made
b a running process-",e ltracecommand? It places a librar routine trace-",e fuser command ? It is a file user command t,at identifies w,ic, process is using a
specific file or network socket-
1-. :!tain information on the running processes and their details along with a list of open
files and send it to the collection system.
Command?# ps aux ps auxeww lsof1 " nc 549.576.$.: 5000: -w7
",e first part of t,e command provides information about t,e processes t,at is convenientto be printable on a standard screen- ",e second part gives detailed information of t,e
processes for later analsis- ",e last part of t,e command gives t,e list of open files-
11. 3ind the list of running processes on the suspect system.
Command?# ls d /proc/0-3 " nc 549.576.$.: 5000$ -w7
1;
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
15/21
",e commands give a director listing of t,e contents of t,e proc director- It is wort,
to note t,at w,en a kernel is ,acked0 even an unmodified cop of ps can providemisleading information- ",e process names in t,e ps output can be c,anged wit,out an
modification of sstem binaries-
12. 7ake a tar file of the /proc directory and send it to the collection system.
Command?# tar cvpf proc.tar /proc/0-3
",e tarB command is used to create an arc,ive- ",e parameters used are cB to create a
new arc,ive0 vB to be in t,e verbose mode to provide a complete list of w,at t,e processis doing0 pB to preserve owners,ip so t,at if t,e file is tampered wit, or looks out7of7
ordinar it could be pointed out b wa of owners,ip0 and fB to send t,e output to a file-
1". 9etermine the physical devices in the suspect system.
Command?# mount
",is is t,e first step to cop t,e entire file7sstem over t,e network to t,e collection
sstem- ",e mountB command ,elps t,e team to determine t,e active file7sstems on t,e,ard drive- It would also point to an network file sstems t,at are being used-
1$. 9etermine the partitions on the primary hard drive of the suspect system.
Command?
H fdisk l /dev/*da
",e utilit is used as t,e disk partition utilit t,at ,elps t,e team to find t,e list of
partitions on t,e primar ,ard drive and also find t,e file7sstems on t,e ,ard drive-
1%. 7ake a data dump of the partitions of the suspect system and send it to the collection
system.
Command?# dd if)/dev/*da5 bs)5024 " nc 549.576.$.: 50009 -w7
",e data dump command ,elps to collect eac, image of t,e partitions of t,e ,ard diskand send it to t,e collection sstem-
1. 7ake the 79% hash on all the files received and the image of the harddisk partitions -
Command?# md:sum b suspect.*da5.image
11
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
16/21
",e @. ,as, of t,e images of t,e partitions is taken before investigation- After t,e
compete investigation t,e @. is taken again to s,ow t,at t,e investigation did not
tamper an of t,e images-
0na#(sis of 3vidence
",e utmost concern from t,e start of t,e investigation was t,e fact t,at t,e suspectsstem was a live server0 and t,at its normal operation could not be ,alted in order to perform t,e
investigation- ",at fact limited our abilit to create e&act copies of t,e file sstem- Since t,e
sstem could not be froen in time0 t,e creditabilit of t,e investigation ,inged on t,e abilit to
collect as muc, information as possible in a s,ort period of time0 and t,en ensure t,e integrit oft,e information once it was collected-
In order to ensure t,at t,e collection p,ase went as smoot,l as possible0 t,einvestigating team first sat down and developed t,e investigation c,ecklist t,at ,as alread been
outlined- ",e investigation team consisted of two people- ",e first person was responsible for
p,sicall interacting wit, t,e sstem console0 and t,e second person was responsible formaintaining t,e c,ecklist and t,e p,sical log of t,e investigation-
",e suspect sstem was a .ell (ptiple& 4X1 desktop computer running
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
17/21
H dd bsQ1;)% R /dev/kmem nc 1%'-1GP-*5-*5 1;;;G 7w G
dd? reading Tstandard input? +ad address
;D; records in;D; records out
",e data file on t,e collection sstem was empt- ",e command was attempted several timeswit,out success on t,e suspect sstem- ",e investigators also modified t,e snta& of t,e
command during t,e subse2uent attempts to see if t,ere ,ad been an error in t,e original snta&-
Instead of reading t,e /dev/kmemfile in using t,e input c,aracter RO0 as t,e 8ruse 9 :eiserte&t did in some instances0 we also tried t,e input file argument0 ifQO0 t,at is part of t,e ddcommand- !e did not ,ave success wit, eit,er version- >ollowing t,e investigation0 t,e original
snta& of t,e command was tested on t,e collection sstem and two ot,er Linu& sstems- ",e
data dump failed in t,e same manner on t,e collection sstem as it did on t,e suspect sstem-",e first alternate Linu& sstem was running ollowing t,e creation of t,e disk images0 t,e investigation team attempted to mount t,e
suspect file sstems on t,e collection sstem- Attempts to mount t,e images on t,e collectionsstem in a read7onl mode resulted in an error message stating t,at t,e superblock for t,e image
appeared to be damaged- ",e investigators t,en mounted t,e image for /dev/hda1in normal
read7write mode0 and t,e image t,en mounted normall- ",is process corrected t,e error in t,esuperblock0 but it also c,anged t,e contents of t,e image file t,us invalidating an @. sum
taken prior to t,e mount process- In order to ensure t,e integrit of t,e ot,er disk images @.
sums were created0 and t,e file sstems were not mounted during t,e analsis p,ase of t,e
investigation- ",e t,ree unmounted images represented t,e ,ome directories for t,e suspect
1G
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
18/21
sstem0 t,e swap space0 and t,e /usrdirector- After mounting t,e suspectBs root file7sstem in
read7write mode0 t,e image was immediatel unmounted0 and remounted in read7onl mode-
.eeper investigation of t,e image uncovered ot,er files t,at were damaged during t,e datadump- An files t,at were written to t,e ,ard drive during t,e data dump suc, as log files were
empt- ",e file names were present0 but t,e contents of t,e files were missing- ",is proved to
be a maor set back to our effort- !e were forced to immediatel return to t,e suspect sstemand make a tar ball of t,e main log director0 /var/log0 and t,en cop t,at tar ball to t,e
collection sstem- !e were also forced to perform our analsis of t,e files present in t,e /home0
and /usr directories on t,e live suspect sstem0 instead of analing t,e images we created-
>ollowing t,e collection p,ase t,e investigation s,ifted focus to t,e collection sstem and
we began to process t,e data t,at we ,ad collected- ",e first item of data analed was t,e
concatenated file t,at we ,ad created t,at contained bot, t,e /etc/passwdand /etc/shadowfiles-",ere were not an suspicious or unaut,oried entries in eit,er file- ",e ne&t item of data
analed was t,e file containing t,e output from t,e two netstat commands and t,e arp
command- ",e onl active network connection reported b t,e set of commands was t,e netcat
process t,at was coping t,e data to t,e collection sstem- At t,is point we also looked at t,eoutput from t,e two pscommands0 and t,e lsof command- As wit, t,e network statistics0 we did
not find an processes t,at appeared to be out of place- In order to be certain t,at t,e suspectBs
ps command was not tampered wit, b an intruder we also investigated t,e /proc director
directl- ",e investigation did not find an processes t,at were not reported b t,e pscommand-
+ t,is point in time0 it was becoming apparent t,at if t,e sstem ,ad been attacked0 t,e attack,ad b t,is time ceased- Now t,at it seemed t,at we were dealing wit, a ,istorical event we
turned our attention to t,e log files t,at we collected from t,e suspect sstem-
",e first set of logs to be analed were t,e web server logs0 since t,is serverBs primarfunction was serving web pages- Since t,e access and error logs for t,e server were relativel
s,ort we processed t,e log manuall- ",e page accesses were normal0 and did not include an
evidence of script7kiddie attacks-
",e second log analed was t,e messages log in t,e /var/logdirector0 and t,is log
proved to be most ,elpful- .uring a time spanning from appro&imatel 1)?1' #@ $S" to )?G1#@ $S" on >rida .ecember *0 );;) we see t,at two separate unaut,oried ,osts attempted to
gain access to t,e suspect sstem- ",e first ,ost0 venger-bridgewater-edu 0 focused ,is attack
solel on t,e ftp service running on t,e sstem- ",e ,ost made twelve attempts to log into t,e
sstem as eit,er t,e root user0 or as an unprivileged user named oe- ",is attack appears to ,avebeen performed manuall b a user on t,e unaut,oried ,ost because of t,e relativel low
number of attempts and t,e amount of time over w,ic, t,e attacks occurred- +elow is an e&cerpt
of t,e failed attempts-
.ec * 1)?G?1; dorm*57) ftp3pamVuni&6K1*1G? aut,entication failure= lognameQuidQ;
euidQ; ttQ/dev/ftpd1*1G ruserQ r,ostQWenger-bridgewater-edu userQoe.ec * 1)?G?1) dorm*57) ftpd? Wenger-bridgewater-edu? connected? I.L$K1*1G?
failed login from Wenger-bridgewater-edu K1%'-1GP-);-1
.ec * 1%?1%?)) dorm*57) ftp3pamVuni&6K15G%? aut,entication failure= lognameQuidQ;
euidQ; ttQ/dev/ftpd15G% ruserQ r,ostQWenger-bridgewater-edu userQoe
1%
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
19/21
.ec * 1%?1%?) dorm*57) ftpd? Wenger-bridgewater-edu? connected? I.L$K15G%?
failed login from Wenger-bridgewater-edu K1%'-1GP-);-1
",e second ,ost0 saturn-bridgewater-edu0 did not attempt to access t,e sstem until 1?1' #@$S"- ",e second ,ost initiall attempted to open an anonmous ftp session wit, t,e suspect
sstem- ",is attempt failed because t,e sstem was not running an anonmous ftp service- ",e
second ,ost did not attempt to access t,e sstem again until )?)' #@ $S"- At t,at time t,eattacker attempted to remotel login to t,e sstem eit,er as t,e root user0 t,e lp user0 or as a
blank username using t,e telnet service- +elow is an e&cerpt of t,e attackerBs attempts-
.ec * 1%?)'?;1 dorm*57) login3pamVuni&6K))G? aut,entication failure= lognameQ
uidQ; euidQ; ttQpts/; ruserQ r,ostQSaturn userQlp
.ec * 1%?)'?;G dorm*57) loginK))G? >AIL$. L(4IN 1 >(< lp0
Aut,entication failure.ec * 1%?)'?;P dorm*57) login3pamVuni&6K))G? bad username K
.ec * 1%?)'?1; dorm*57) loginK))G? >AIL$. L(4IN ) >(< 0
Aut,entication failure
.ec * 1%?)'?1* dorm*57) login3pamVuni&6K))G? aut,entication failure= lognameQuidQ; euidQ; ttQpts/; ruserQ r,ostQSaturn userQroot
.ec * 1%?)'?15 dorm*57) loginK))G? >AIL$. L(4IN G >(< root0Aut,entication failure
>our minutes after t,is attempt0 t,e second attacker appears to ,ave performed a port scan of t,esuspect sstem- ",e attacker did not tr to ,ide t,e attempt0 because t,e scan appears to ,ave
been a full "C# connect3 6 scan0 and t,e most likel tool used would ,ave been nmap- ",e
finger0 telnet0 and ftp services all logged connection attempts in t,e message file- +elow is an
e&cerpt from t,at probable port scan-
.ec * 1%?G1?;' dorm*57) fingerdK))'G? Client ,ung up 7 probable port7scan
.ec * 1%?G1?11 dorm*57) &inetdK))'%? Cant get t,e number of pending signals? +adfile descriptor 3errno Q 56
.ec * 1%?G1?11 dorm*57) last message repeated 1 times
.ec * 1%?G1?)% dorm*57) ftpdK))'*? wu7ftpd 7 "LS settings? control allow0 clientVcert allow0 data allow
.ec * 1%?G1?)% dorm*57) ftpdK))'*? lost connection to Saturn-bridgewater-edu
K1%'-1GP-1;-%;
.ec * 1%?G1?)% dorm*57) ftpdK))'*? >"# session closed
.ec * 1%?G1?) dorm*57) telnetdK))''? ttloop? read? Connection reset b peer
>ollowing t,is port scan connection attempts from bot, of t,e unaut,oried sstems stopped-
!e now ,ad evidence t,at at least one individual attempted to gain unaut,oried access
to t,e suspect sstem- (ur efforts now focused on determining w,et,er or not t,e an traces ofsuccessful entr e&isted on t,e suspect sstem- !e c,ecked t,e xferlog for ftp file transfers
during t,e time in 2uestion0 and found not,ing- ",e ne&t step was to determine if t,ere were an
unaut,oried trust relations,ips in t,e /etc/hostsfile- ",ere were no trust relations,ips on t,e
suspect sstem at all- !e ne&t searc,ed t,roug, t,e /dev director to ensure t,at no regular files
1
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
20/21
were being ,idden t,ere0 and none were found- !e also searc,ed for e&ecutable files and
suspicious ,idden files in t,e userBs ,ome directories0 and again not,ing turned up out of t,e
ordinar- Ne&t we c,ecked for unusual SUI. and S4I. files0 and not,ing appeared out of t,eordinar- ",e final searc, of t,e file sstem was for core files- If t,e attackers ,ad been able to
panic an of t,e network services during t,eir attempts0 core dumps of t,e processes s,ould ,ave
e&isted on t,e sstem- ",e searc, did not turn up an core files-
+ t,is point we were confident t,at t,e attackers ,ad not found a wa into t,e sstem0
but we were not going to take ant,ing for granted- ",e final step in t,e investigation was to runt,e rpm 0a command- ",is command is used to verif t,e consistenc of t,e binar packages
installed on t,e suspect sstem using t,e
-
8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall
21/21
'i#iogra!*(
C$