unix linux investigation by yuli chen rajesh menon & joe meslovich 2002 fall

8/12/2019 UNIX Linux Investigation by Yuli Chen Rajesh Menon & Joe Meslovich 2002 Fall

1/21

Procedures in IntrusionInvestigation of a

UNIX/Linux Host

CS-585F: Co!uter-"e#ated La$ andCo!uter Forensics

Fa## %&&%

'()u-Li C*en

"a+es* ,enonoe ,es#ovic*


2/21

.a#e of Contents

Abstract iii

Acknowledgements ivIntroduction 1

Signs of a Compromised

UNIX/LINUX Sstem 1

!as "o #reserve $vidence %

Investigation of a Linu& Sstem '

Collection (f $vidence '

Analsis (f $vidence 1)

Summar 1*

+ibliograp, 1'

ii


3/21

0stract

UNIX and Linu& sstems are vulnerable to various forms of network attacks-

.epending on t,e diligence of t,e people administering t,ese sstems t,e can eit,er be

e&tremel eas or e&tremel difficult to gain unaut,oried access to- ",is document is a

case stud on ,ow to perform an intrusion detection analsis on a UNIX ,ost in general0and more specificall a Linu& sstem-

iii


4/21

0c1no$#edgeents

!e would like to e&press our sincere t,anks to .r- Abug for ,is ,elp on t,is

proect- !e would also like to e&tend t,anks to t,e +ridgewater College Information

"ec,nolog Center for t,e use of t,eir facilities and e2uipment t,roug,out t,is process-

iv


5/21

Introduction

UNIX does not ,ave good reputation for reliabilit or securit 34allmann0 15556-

Alt,oug, UNIX does offer some effective securit features suc, as login and user accounts

w,ic, are saved in t,e /etc/passwd file0 access control wit, a granularit of owner0 group0 and

world0 and keep log files7usr/adm/lastlog, /var/adm/utmp, /var/adm/wtmp/, /var/adm/acct-UNIX sstems directl connected to t,e Internet are often subect to ,acking attempts 38ruse 9

:eiser0 );;)6-

",e skill and knowledge to investigate a compromised Uni& sstem and t,e abilit to

respond to a computer securit incident ,as become essential for bot, UNIX users and forensicinvestigators-

",e contents of t,is document will begin wit, looking for t,e signs of a compromised

UNIX sstem0 and t,en proceed to preserve and gat,er evidence- After collecting informationand seiing t,e data we need0 t,e ne&t step is to anale t,e file sstem to look for modifications

to data and review log files to e&amine signs of intrusion-

",is document will also include an intrusion investigation of a server owned b t,e A+C

Corporation- ",e administrators of t,e sstem ,ave seen log evidence to suggest repeated

attempts to gain access to t,e server from unaut,oried ,osts- Included will be t,e steps t,at t,einvestigators c,ose to take in t,is particular investigation0 and an analsis of t,e outcome of t,eir

efforts- A recurring concern of t,e investigators will be t,e fact t,at t,e server was a production

server0 and t,at t,e administrators would not allow t,e server to be taken offline during t,e

investigation-

Signs of a co!roised UNIX/Linux s(ste

1. Examine log files for connections from unusual locations, or other unusual activity.


6/21

",is file in t,e /var/log director contains binar information for ever user currentl

logged in- ",is is onl useful to determine w,o is currentl logged in- A wa to access

t,is data is eit,er t,e who command0 or t,e wcommand-

wtmp

$ver time a user successfull logs in0 logs out0 or our mac,ine reboots0 t,e wtmpfile

in t,e /var/log director is modified- ",is is a binar file= t,e tool used to obtain usefulinformation is last-

secure

Some versions of UNIX 3


7/21

will set a network interface in promiscuous mode- .etecting an interface in promiscuous

mode does not necessaril mean t,at an intruderBs sniffer is running on a sstem-

%. Examine files run !y &cron and &at'.

Intruders ma leave back doors in files run from cronor submitted to at- ",e cron and atcommands are used to sc,edule commands and processes t,at repeat at specified intervals-

",ese tec,ni2ues can let an intruder back on t,e sstem 3even after ou believe ou ,ad

addressed t,e original compromise6- Also0 verif t,at all files/programs referenced3directl or indirectl6 b t,e cronand atobs-

# at l# crontab -l

. #heck for unauthori)ed services.

Inspect /etc/inetd.conf or /etc/xinetd.conf for unaut,oried additions or c,anges- In

particular0 searc, for entries t,at e&ecute a s,ell program3for e&ample0 /!in/sh or /!in/csh6and c,eck all programs t,at are specified in /etc/inetd.conf to verif t,at t,e are correct

and ,avenBt been replaced b "roan ,orse programs- Also c,eck for legitimate servicest,at ou ,ave commented out in our /etc/inetd.conf- Intruders ma turn on a service t,at

ou previousl t,oug,t ou ,ad turned off0 or replace t,e inetd program wit, a "roan

,orse program-

*. Examine /etc/passwd file.

C,eck t,e /etc/passwd file on t,e sstem for modifications to t,at file0 and look for t,e

unaut,oried creation of new accounts0 accounts wit, no passwords0 or UI. c,anges

3especiall UI. ;6 to e&isting accounts- >or e&ample0 we can usestat /etc/passwd to look at access and modification information0 also use

cat /etc/passwd to s,ow t,e contents of t,e file-

+. #heck system and network configuration.

>ind an unaut,oried entries0 especiall DB3plus sign6 entries and inappropriate non7

local ,ost names in /etc/hosts- >urt,ermore0 confirm t,at t,ese files e&isted prior to anintrusion and were not created b t,e intruder-

. Look everywhere for unusual or hidden files.

>iles t,at start wit, a period . and are normall not s,own b ls can be used to ,ide tools

and information- A common tec,ni2ue on UNIX sstems is to put a ,idden director in a

userBs account wit, an unusual name0 somet,ing like EB or --B or --F4B- ",e findprogram can be used to look for ,idden files0 for e&ample?

# find / -name .. print xdev# find / -name .! print xdev " cat v

G


8/21

1-. Examine all machines on the local network.

@ost of t,e time0 if one ,ost ,as been compromised0 ot,ers on t,e network ,ave been0

too-

3C$


9/21

!,en UNIX sstems are s,utdown wit, t,e shutdown command0 all services are cleanl

s,utdown and cac,ed file sstem buffers are flus,ed0 data is written to disc and can be captured

as part of sstem memor image-

0ideo

",e current screen can be captured and provide useful information0 and t,at information is stored

in


10/21

It is possible for an attacker to mess wit, t,e routing tables and even ,ack t,e address resolution

t,at maps an $t,ernet cardBs @AC addresses to an I# address 38ruse 9 :eiser0 );;)6- !e can

use netstat to displa t,e routing tables and arp to capture t,e address resolution tables-

# netstat rn

# arp v

!e can capture all of t,is data in one file along wit, date command to timestamp t,e action-

# date netstat p netstat rn arp v1 suspect.netstatus.txt

6unning processes

Uni& supplies a number of utilities t,at provide information on t,e set of all running processes or

provide details on a specific running process- ",ose utilities are?

ps .isplas a list of all running processes wit, details about t,eir conte&t and state

last, w, who 4et listings of logged in users0 prior logins0 etc

uptime S,ows current processing load and ) previous load values- #rovides an

understanding of current and recent activit-

top Useful diagnostic tool w,en sstem is running slowl- #assword cracking tools will

s,ow up clearl wit, top-

lsof #rovides a list of all currentl open files and t,e processes t,at ,ave opened t,em-

fuser Identifies w,ic, processes are using a specific file or network socket-

strace List all sstem calls being made b a running process-

truss, ktrace $arlier versions of sstem call trace-

ltrace Librar routine trace-

38ruse 9 :eiser0 );;)6

",e /proc director is a pseudo7filesstem t,at provides a structured interface to /dev/kmem.$ver process in memor ,as a director in /procassociated wit, it named after its process I.

3#I.6- At t,e time of t,is writing0 no attacks t,at ,ide / proc entries ,ave been reported0 making

/proc a more reliable guide to currentl running processes t,an t,e commonl ,acked ps utilit-

K8ruse );;) ou s,ould collect a 2uick list of t,e #I. directories in /proc so t,at ou cancompare it later wit, t,e output of ps. If a process is missing from t,e ps output t,at does appear

in /proc,t,at is a clue t,at psmig,t ,ave been troanned-

# ls d /proc/0-3 suspectproc.txt

Signs of ,ostile processes?

An discrepanc betweenps, top, and /proc77#I.s t,at appears in top or /procbut not ps

ma ,ave been deliberatel ,idden-

Unrecognied commands0 especiall ones t,at start wit, a.or ./ are clear indications t,at t,e

application was started manuall-

.aemons running more t,an once t,at s,ould be running onl once0 suc, as inetdM",at

means t,e second one was started manuall- ",is is usuall a sign of a troanied version-

*


11/21

:ig, uptimes 3,ig, sstem utiliation6 and especiall a process using an unusual level of

sstem resourcesMSome processor intensive program suc, as crptanalsis0 bogus I


12/21

Command on t,e suspect mac,ine?# cat /etc/passwd /etc/s*adow " nc 52.5$6.0.2 50000 -w7

",e nce&ecutable running on t,e listening ,ost runs until it receives a connection and

t,en t,e connection is broken- At t,is point t,e e&ecution stops and t,e output file isclosed- ",e 7wG option on t,e transmitting ,ost means to wait G seconds after t,e data

,as been sent and t,en timeout-

2. Log the investigation steps carried out on the suspect system.

Command?# script investigation.txt

",e scriptcommand ensures t,at evert,ing done on t,e suspect sstem console is

documented into a file 3investigation-t&t6 for evidentiar value- ",is p,ase is important tocarr out t,e investigation as met,odicall and carefull as possible- ",e file would

enumerate t,e sstematic flow of commands used on t,e suspect sstem to elicit pertinentinformation- ",is is also important to convince t,e management for a need for response

capabilit if a securit breac, is discovered from t,e investigation-

". 7aintain a 8ournal to enumerate the results of investigation.

",e findings from t,e commands run or t,e steps taken in t,e investigation are clearl

documented so as to s,ow t,e logical development of t,e investigative process and to

function as an aid for refres,ing t,e memor and making t,e investigative report-

$. 0erify the date and time of the suspect system and determine the 954 name and :4

version of the system.

Commands?# date8 # uname a

Commands t,at make t,e current time and t,e ,ostname t,e first two items to appear in

t,e script file in t,e suspect sstem- ",e sstem time is furt,er noted in t,e ournal

maintained b an investigator- An discrepancies between t,e sstem clock and t,e realtime would ,ave been noted- ",e second command would also give information about

t,e operating sstem for instance t,e version of t,e kernel for t,e particular Linu& (S-

%. :!tain the screenshot of the suspect system's desktop.

Command?# xwd displa, local*ost0 root screens*ot.xwd

",e screens,ot of t,e suspect sstem desktop is obtained wit, t,e &wdO command and

cop is sent to t,e collection sstem using t,e netcat command- A program suc, as t,e

P


13/21

Linu& grap,ics editor 4I@# will ,ave to be used to convert t,e file from t,e &wd format

to a more usable format suc, as peg-

. 4ave the copies of the suspect's password and shadow files to the collectionsystem.

Command?# cat /etc/passwd/etc/s*adow " nc 549.576.$.: 50005 w7

",e password and s,adow files are saved and t,e copies are sent to t,e collection sstem

using t,e netcat command-

*. :!tain the copies of the suspect's normal memory and kernel memory files to the

collectionsystem.

Command?# dd bs)5024 ; /dev/mem " nc 549.576.$.: 50002 w7# dd bs)5024 ; /dev/kmem " nc 549.576.$.: 50007 w7

Since t,e Linu& considers evert,ing as a file it makes it eas to cop and save t,e

contents of t,e sstem memor-

+. 6un the command that sends the date, details of processes with network connections, the

kernel routing ta!le and the address resolution protocol to the collection system.

Command?# date netstat p netstat rn arp v1 " nc 549.576.$.: 50004 -w7

",e network state provides important information on bot, t,e current networkconnections and t,e listening processes- ",e commands ,elp t,e investigators to know

about possible running processes left b a ,acker or gives details about an unaut,oried

connections taking place- ",e dateO command records t,e date w,en t,e commandswere run in t,e script file - ",e netstat JpO command gives t,e processes associated wit,

t,e different network connections- ",e netstat JrnO command would s,ow t,e kernel

routing table- ",e arp JvO would give an alternate view of t,e routing table-",isinformation is copied to t,e collection sstem-

. Looking for unusual running processes.

A series of steps are taken to use some utilities enumerated below0 to provide valuable

information about all running processes- ",e task of t,e investigation team is to capture

t,e state of t,e suspect mac,ine and get a list of all open files- ",en t,e team tries tocorrelate t,is information wit, t,e verbose netstatB captured earlier-

i6


14/21

Command?# uptime

",e command finds ,ow muc, time t,e sstem ,as been running after its last reboot-

",e idea is to c,eck to find evidence of a sstem compromise as t,e ,acker mig,t re2uire

a reboot to start some processes- $lse it mig,t also point to a denial7of7service attack ast,e sstem mig,t ,ave cras,ed in panic-

ii6 Information about w,o is connected to sstem remotel

Command?# w*o

",e command c,ecks t,e users logged in to t,e sstem via t,e telnet or t,e ftp services-

iii6 C,eck on t,e process t,at takes t,e ma&imum resources of t,e sstem

Command?# top

",e command provides t,e real time displa of t,e C#U7intensive processes- It is a

diagnostic tool w,en t,e sstem is running slowl- #assword cracking tools will s,ow

clearl wit, t,e topB command- If t,e team detects an process utiliing t,e C#Uresources in an out7of7t,e7ordinar fas,ion t,at can potentiall point to a sstem securit

breac, t,en command like straceB or ltraceB or fuserB would be run-

",e stracecommand? It places a Sstem Call "race- It lists all sstem calls being made

b a running process-",e ltracecommand? It places a librar routine trace-",e fuser command ? It is a file user command t,at identifies w,ic, process is using a

specific file or network socket-

1-. :!tain information on the running processes and their details along with a list of open

files and send it to the collection system.

Command?# ps aux ps auxeww lsof1 " nc 549.576.$.: 5000: -w7

",e first part of t,e command provides information about t,e processes t,at is convenientto be printable on a standard screen- ",e second part gives detailed information of t,e

processes for later analsis- ",e last part of t,e command gives t,e list of open files-

11. 3ind the list of running processes on the suspect system.

Command?# ls d /proc/0-3 " nc 549.576.$.: 5000$ -w7

1;


15/21

",e commands give a director listing of t,e contents of t,e proc director- It is wort,

to note t,at w,en a kernel is ,acked0 even an unmodified cop of ps can providemisleading information- ",e process names in t,e ps output can be c,anged wit,out an

modification of sstem binaries-

12. 7ake a tar file of the /proc directory and send it to the collection system.

Command?# tar cvpf proc.tar /proc/0-3

",e tarB command is used to create an arc,ive- ",e parameters used are cB to create a

new arc,ive0 vB to be in t,e verbose mode to provide a complete list of w,at t,e processis doing0 pB to preserve owners,ip so t,at if t,e file is tampered wit, or looks out7of7

ordinar it could be pointed out b wa of owners,ip0 and fB to send t,e output to a file-

1". 9etermine the physical devices in the suspect system.

Command?# mount

",is is t,e first step to cop t,e entire file7sstem over t,e network to t,e collection

sstem- ",e mountB command ,elps t,e team to determine t,e active file7sstems on t,e,ard drive- It would also point to an network file sstems t,at are being used-

1$. 9etermine the partitions on the primary hard drive of the suspect system.

Command?

H fdisk l /dev/*da

",e utilit is used as t,e disk partition utilit t,at ,elps t,e team to find t,e list of

partitions on t,e primar ,ard drive and also find t,e file7sstems on t,e ,ard drive-

1%. 7ake a data dump of the partitions of the suspect system and send it to the collection

system.

Command?# dd if)/dev/*da5 bs)5024 " nc 549.576.$.: 50009 -w7

",e data dump command ,elps to collect eac, image of t,e partitions of t,e ,ard diskand send it to t,e collection sstem-

1. 7ake the 79% hash on all the files received and the image of the harddisk partitions -

Command?# md:sum b suspect.*da5.image

11


16/21

",e @. ,as, of t,e images of t,e partitions is taken before investigation- After t,e

compete investigation t,e @. is taken again to s,ow t,at t,e investigation did not

tamper an of t,e images-

0na#(sis of 3vidence

",e utmost concern from t,e start of t,e investigation was t,e fact t,at t,e suspectsstem was a live server0 and t,at its normal operation could not be ,alted in order to perform t,e

investigation- ",at fact limited our abilit to create e&act copies of t,e file sstem- Since t,e

sstem could not be froen in time0 t,e creditabilit of t,e investigation ,inged on t,e abilit to

collect as muc, information as possible in a s,ort period of time0 and t,en ensure t,e integrit oft,e information once it was collected-

In order to ensure t,at t,e collection p,ase went as smoot,l as possible0 t,einvestigating team first sat down and developed t,e investigation c,ecklist t,at ,as alread been

outlined- ",e investigation team consisted of two people- ",e first person was responsible for

p,sicall interacting wit, t,e sstem console0 and t,e second person was responsible formaintaining t,e c,ecklist and t,e p,sical log of t,e investigation-

",e suspect sstem was a .ell (ptiple& 4X1 desktop computer running


17/21

H dd bsQ1;)% R /dev/kmem nc 1%'-1GP-*5-*5 1;;;G 7w G

dd? reading Tstandard input? +ad address

;D; records in;D; records out

",e data file on t,e collection sstem was empt- ",e command was attempted several timeswit,out success on t,e suspect sstem- ",e investigators also modified t,e snta& of t,e

command during t,e subse2uent attempts to see if t,ere ,ad been an error in t,e original snta&-

Instead of reading t,e /dev/kmemfile in using t,e input c,aracter RO0 as t,e 8ruse 9 :eiserte&t did in some instances0 we also tried t,e input file argument0 ifQO0 t,at is part of t,e ddcommand- !e did not ,ave success wit, eit,er version- >ollowing t,e investigation0 t,e original

snta& of t,e command was tested on t,e collection sstem and two ot,er Linu& sstems- ",e

data dump failed in t,e same manner on t,e collection sstem as it did on t,e suspect sstem-",e first alternate Linu& sstem was running ollowing t,e creation of t,e disk images0 t,e investigation team attempted to mount t,e

suspect file sstems on t,e collection sstem- Attempts to mount t,e images on t,e collectionsstem in a read7onl mode resulted in an error message stating t,at t,e superblock for t,e image

appeared to be damaged- ",e investigators t,en mounted t,e image for /dev/hda1in normal

read7write mode0 and t,e image t,en mounted normall- ",is process corrected t,e error in t,esuperblock0 but it also c,anged t,e contents of t,e image file t,us invalidating an @. sum

taken prior to t,e mount process- In order to ensure t,e integrit of t,e ot,er disk images @.

sums were created0 and t,e file sstems were not mounted during t,e analsis p,ase of t,e

investigation- ",e t,ree unmounted images represented t,e ,ome directories for t,e suspect

1G


18/21

sstem0 t,e swap space0 and t,e /usrdirector- After mounting t,e suspectBs root file7sstem in

read7write mode0 t,e image was immediatel unmounted0 and remounted in read7onl mode-

.eeper investigation of t,e image uncovered ot,er files t,at were damaged during t,e datadump- An files t,at were written to t,e ,ard drive during t,e data dump suc, as log files were

empt- ",e file names were present0 but t,e contents of t,e files were missing- ",is proved to

be a maor set back to our effort- !e were forced to immediatel return to t,e suspect sstemand make a tar ball of t,e main log director0 /var/log0 and t,en cop t,at tar ball to t,e

collection sstem- !e were also forced to perform our analsis of t,e files present in t,e /home0

and /usr directories on t,e live suspect sstem0 instead of analing t,e images we created-

>ollowing t,e collection p,ase t,e investigation s,ifted focus to t,e collection sstem and

we began to process t,e data t,at we ,ad collected- ",e first item of data analed was t,e

concatenated file t,at we ,ad created t,at contained bot, t,e /etc/passwdand /etc/shadowfiles-",ere were not an suspicious or unaut,oried entries in eit,er file- ",e ne&t item of data

analed was t,e file containing t,e output from t,e two netstat commands and t,e arp

command- ",e onl active network connection reported b t,e set of commands was t,e netcat

process t,at was coping t,e data to t,e collection sstem- At t,is point we also looked at t,eoutput from t,e two pscommands0 and t,e lsof command- As wit, t,e network statistics0 we did

not find an processes t,at appeared to be out of place- In order to be certain t,at t,e suspectBs

ps command was not tampered wit, b an intruder we also investigated t,e /proc director

directl- ",e investigation did not find an processes t,at were not reported b t,e pscommand-

+ t,is point in time0 it was becoming apparent t,at if t,e sstem ,ad been attacked0 t,e attack,ad b t,is time ceased- Now t,at it seemed t,at we were dealing wit, a ,istorical event we

turned our attention to t,e log files t,at we collected from t,e suspect sstem-

",e first set of logs to be analed were t,e web server logs0 since t,is serverBs primarfunction was serving web pages- Since t,e access and error logs for t,e server were relativel

s,ort we processed t,e log manuall- ",e page accesses were normal0 and did not include an

evidence of script7kiddie attacks-

",e second log analed was t,e messages log in t,e /var/logdirector0 and t,is log

proved to be most ,elpful- .uring a time spanning from appro&imatel 1)?1' #@ $S" to )?G1#@ $S" on >rida .ecember *0 );;) we see t,at two separate unaut,oried ,osts attempted to

gain access to t,e suspect sstem- ",e first ,ost0 venger-bridgewater-edu 0 focused ,is attack

solel on t,e ftp service running on t,e sstem- ",e ,ost made twelve attempts to log into t,e

sstem as eit,er t,e root user0 or as an unprivileged user named oe- ",is attack appears to ,avebeen performed manuall b a user on t,e unaut,oried ,ost because of t,e relativel low

number of attempts and t,e amount of time over w,ic, t,e attacks occurred- +elow is an e&cerpt

of t,e failed attempts-

.ec * 1)?G?1; dorm*57) ftp3pamVuni&6K1*1G? aut,entication failure= lognameQuidQ;

euidQ; ttQ/dev/ftpd1*1G ruserQ r,ostQWenger-bridgewater-edu userQoe.ec * 1)?G?1) dorm*57) ftpd? Wenger-bridgewater-edu? connected? I.L$K1*1G?

failed login from Wenger-bridgewater-edu K1%'-1GP-);-1

.ec * 1%?1%?)) dorm*57) ftp3pamVuni&6K15G%? aut,entication failure= lognameQuidQ;

euidQ; ttQ/dev/ftpd15G% ruserQ r,ostQWenger-bridgewater-edu userQoe

1%


19/21

.ec * 1%?1%?) dorm*57) ftpd? Wenger-bridgewater-edu? connected? I.L$K15G%?

failed login from Wenger-bridgewater-edu K1%'-1GP-);-1

",e second ,ost0 saturn-bridgewater-edu0 did not attempt to access t,e sstem until 1?1' #@$S"- ",e second ,ost initiall attempted to open an anonmous ftp session wit, t,e suspect

sstem- ",is attempt failed because t,e sstem was not running an anonmous ftp service- ",e

second ,ost did not attempt to access t,e sstem again until )?)' #@ $S"- At t,at time t,eattacker attempted to remotel login to t,e sstem eit,er as t,e root user0 t,e lp user0 or as a

blank username using t,e telnet service- +elow is an e&cerpt of t,e attackerBs attempts-

.ec * 1%?)'?;1 dorm*57) login3pamVuni&6K))G? aut,entication failure= lognameQ

uidQ; euidQ; ttQpts/; ruserQ r,ostQSaturn userQlp

.ec * 1%?)'?;G dorm*57) loginK))G? >AIL$. L(4IN 1 >(< lp0

Aut,entication failure.ec * 1%?)'?;P dorm*57) login3pamVuni&6K))G? bad username K

.ec * 1%?)'?1; dorm*57) loginK))G? >AIL$. L(4IN ) >(< 0

Aut,entication failure

.ec * 1%?)'?1* dorm*57) login3pamVuni&6K))G? aut,entication failure= lognameQuidQ; euidQ; ttQpts/; ruserQ r,ostQSaturn userQroot

.ec * 1%?)'?15 dorm*57) loginK))G? >AIL$. L(4IN G >(< root0Aut,entication failure

>our minutes after t,is attempt0 t,e second attacker appears to ,ave performed a port scan of t,esuspect sstem- ",e attacker did not tr to ,ide t,e attempt0 because t,e scan appears to ,ave

been a full "C# connect3 6 scan0 and t,e most likel tool used would ,ave been nmap- ",e

finger0 telnet0 and ftp services all logged connection attempts in t,e message file- +elow is an

e&cerpt from t,at probable port scan-

.ec * 1%?G1?;' dorm*57) fingerdK))'G? Client ,ung up 7 probable port7scan

.ec * 1%?G1?11 dorm*57) &inetdK))'%? Cant get t,e number of pending signals? +adfile descriptor 3errno Q 56

.ec * 1%?G1?11 dorm*57) last message repeated 1 times

.ec * 1%?G1?)% dorm*57) ftpdK))'*? wu7ftpd 7 "LS settings? control allow0 clientVcert allow0 data allow

.ec * 1%?G1?)% dorm*57) ftpdK))'*? lost connection to Saturn-bridgewater-edu

K1%'-1GP-1;-%;

.ec * 1%?G1?)% dorm*57) ftpdK))'*? >"# session closed

.ec * 1%?G1?) dorm*57) telnetdK))''? ttloop? read? Connection reset b peer

>ollowing t,is port scan connection attempts from bot, of t,e unaut,oried sstems stopped-

!e now ,ad evidence t,at at least one individual attempted to gain unaut,oried access

to t,e suspect sstem- (ur efforts now focused on determining w,et,er or not t,e an traces ofsuccessful entr e&isted on t,e suspect sstem- !e c,ecked t,e xferlog for ftp file transfers

during t,e time in 2uestion0 and found not,ing- ",e ne&t step was to determine if t,ere were an

unaut,oried trust relations,ips in t,e /etc/hostsfile- ",ere were no trust relations,ips on t,e

suspect sstem at all- !e ne&t searc,ed t,roug, t,e /dev director to ensure t,at no regular files

1


20/21

were being ,idden t,ere0 and none were found- !e also searc,ed for e&ecutable files and

suspicious ,idden files in t,e userBs ,ome directories0 and again not,ing turned up out of t,e

ordinar- Ne&t we c,ecked for unusual SUI. and S4I. files0 and not,ing appeared out of t,eordinar- ",e final searc, of t,e file sstem was for core files- If t,e attackers ,ad been able to

panic an of t,e network services during t,eir attempts0 core dumps of t,e processes s,ould ,ave

e&isted on t,e sstem- ",e searc, did not turn up an core files-

+ t,is point we were confident t,at t,e attackers ,ad not found a wa into t,e sstem0

but we were not going to take ant,ing for granted- ",e final step in t,e investigation was to runt,e rpm 0a command- ",is command is used to verif t,e consistenc of t,e binar packages

installed on t,e suspect sstem using t,e


21/21

'i#iogra!*(

C$

unix linux investigation by yuli chen rajesh menon & joe meslovich 2002 fall

Documents