Module 3 Concealment and Log Alteration

1
Module 3Concealment and Log Alteration
Highline Community College Seattle University
University of Washington in conjunction
with the National Science Foundation
2
Topics

• Hexadecimal ASCII/numeric data
• Alteration of logs
• Examples

3
ASCII text file

• cat hexcharacters.txt
• 0123456789ABCDEF
• 0123456789ABCDEF
• 0123456789ABCDEF
• 0123456789ABCDEF
• 0123456789ABCDEF
• 0123456789ABCDEF

4
man ascii

• NAME
• ascii - octal, hexadecimal and decimal ASCII
  character sets
• DESCRIPTION
• The hexadecimal set
• 00 nul 01 soh 02 stx 03 etx 04 eot
  05 enq 06 ack 07 bel
• 08 bs 09 ht 0a nl 0b vt 0c np
  0d cr 0e so 0f si
• 10 dle 11 dc1 12 dc2 13 dc3 14 dc4
  15 nak 16 syn 17 etb
• 18 can 19 em 1a sub 1b esc 1c fs
  1d gs 1e rs 1f us
• 20 sp 21 ! 22 " 23 24
  25 26 27 '
• 28 ( 29 ) 2a 2b 2c ,
  2d - 2e . 2f /
• 30 0 31 1 32 2 33 3 34 4
  35 5 36 6 37 7
• 38 8 39 9 3a 3b 3c lt
  3d 3e gt 3f ?
• 40 _at_ 41 A 42 B 43 C 44 D
  45 E 46 F 47 G
• 48 H 49 I 4a J 4b K 4c L
  4d M 4e N 4f O
• 50 P 51 Q 52 R 53 S 54 T
  55 U 56 V 57 W

5
Hexadecimal (base16) dump

• hexdump -C hexcharacters.txt
• 00000000 30 31 32 33 34 35 36 37 38 39 41 42 43
  44 45 46 0123456789ABCDEF
• 00000010 0a 30 31 32 33 34 35 36 37 38 39 41 42
  43 44 45 .0123456789ABCDE
• 00000020 46 0a 30 31 32 33 34 35 36 37 38 39 41
  42 43 44 F.0123456789ABCD
• 00000030 45 46 0a 30 31 32 33 34 35 36 37 38 39
  41 42 43 EF.0123456789ABC
• 00000040 44 45 46 0a 30 31 32 33 34 35 36 37 38
  39 41 42 DEF.0123456789AB
• 00000050 43 44 45 46 0a 30 31 32 33 34 35 36 37
  38 39 41 CDEF.0123456789A
• 00000060 42 43 44 45 46 0a
  BCDEF.
• 00000066

6
Concealment using "Rootkits"

• Replacement of operating system commands or
  system calls
• Two fundamental types
• Application (User) Level
• Kernel Level
• Configuration file(s) to control hiding
• Often simple to identify/bypass, but can be very
  difficult to detect/disablehttp//staff.washingt
  on.edu/dittrich/misc/faqs/rootkits.faq

7
Alteration of logs

• Types of logs
• Ways to clean logs
• Disable logging for future

8
Types of logs

• Text
• Unix syslog
• Apache access logs
• Binary
• Unix utmp/wtmp/lastlog
• Windows Event logs

9
Ways to clean logs

• Delete (or shred)
• Filter Delete
• Edit in place

10
Disable logging

• Kill syslogd
• Link log files to /dev/null
• Edit/delete syslog configuration file
• Fill partition containing log files

11
Deleting login entries from Unix wtmp

• How does wtmp logging work?
• Examples
• Using wzap
• Using wipe
• Using marry

12
How does wtmp logging work?

• Definition of wtmp entryFrom /usr/include/bits/ut
  mp.h

UT_LINESIZE is 32 bytes UT_NAMESIZE is 32
bytes UT_HOSTSIZE is 256 bytes . . .
13
UT_LINESIZE is 32 bytes UT_NAMESIZE is 32
bytes UT_HOSTSIZE is 256 bytes / The
structure describing an entry in the user
accounting database. / struct utmp short
int ut_type / Type of login. /
pid_t ut_pid / Process ID of
login process. / char ut_lineUT_LINESIZE
/ Devicename. / char ut_id4
/ Inittab ID. / char ut_userUT_NAMESIZE
/ Username. / char ut_hostUT_HOSTSIZE
/ Hostname for remote login. / struct
exit_status ut_exit / Exit status of a
process marked
as DEAD_PROCESS. / long int ut_session
/ Session ID, used for windowing. /
struct timeval ut_tv / Time entry was
made. / int32_t ut_addr_v64 /
Internet address of remote host. / char
__unused20 / Reserved for future
use. /
14
Output of last

• reboot system boot 2.4.2-2 Fri Aug
  24 1113 (0153)
• ftp ftpd12458 localhost.locald Fri Aug
  24 0945 - 0946 (0000)
• dittrich pts/1 Fri Aug
  24 0945 - down (0125)
• ftp ftpd12433 localhost.locald Fri Aug
  24 0943 - 0944 (0000)
• dittrich pts/0 Fri Aug
  24 0928 - down (0142)
• dittrich 0 Fri Aug
  24 0928 - down (0142)
• dittrich pts/0 Fri Aug
  24 0924 - 0928 (0003)
• dittrich pts/6 Sun Aug
  19 1143 - 1345 (20202)
• dittrich pts/1 Sun Aug
  19 0132 - 1327 (21154)
• dittrich pts/5 Sun Aug
  19 0126 - 0923 (50756)
• dittrich pts/4 Sun Aug
  19 0123 - 0923 (50800)
• dittrich pts/0 Sun Aug
  19 0119 - 0924 (50804)
• dittrich pts/6 Sat Aug
  18 2126 - 0118 (0352)
• dittrich pts/5 Sat Aug
  18 2116 - 0119 (0402)
• dittrich pts/4 Sat Aug
  18 2114 - 0119 (0404)
• dittrich pts/3 Sat Aug
  18 1515 - 0924 (51808)
• dittrich pts/1 Sat Aug
  18 1321 - 0132 (1211)
• dittrich pts/2 Sun Aug
  5 1549 - 2113 (130524)
• dittrich pts/0 Sun Aug
  5 1540 - 0118 (130938)

15
Hex dump of wtmp file

• 0000000 0700 0000 e404 0000 7074 732f 3000 0000
  ........pts/0...
• 0000010 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• 0000020 0000 0000 0000 0000 2f30 0000 6469 7474
  ......../0..ditt
• 0000030 7269 6368 0000 0000 0000 0000 0000 0000
  rich............
• 0000040 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• 0000050 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• . . .
• 0000140 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• 0000150 0000 0000 45cb 6d3b 8325 0a00 0000 0000
  ....E.m.......
• 0000160 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• 0000170 0000 0000 0000 0000 0000 0000 0000 0000
  ................

16

• 0000000 0700 0000 e404 0000 7074 732f 3000 0000
  ........pts/0...
• -type-- --pid-- ------------------
• 0000010 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• -------------device name---------------
• 0000020 0000 0000 0000 0000 2f30 0000 6469 7474
  ......../0..ditt
• ------------------ ---id-- --------
• 0000030 7269 6368 0000 0000 0000 0000 0000 0000
  rich............
• --------------username-----------------
• 0000040 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• ---------------------------- --------
• . . .
• 0000140 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• ---------------hostname----- --exit--
• 0000150 0000 0000 45cb 6d3b 8325 0a00 0000 0000
  ....E.m.......
• -------- ------time------- --------
• 0000160 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• ---------IP address--------- --------
• 0000170 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• ------------reserved------------------

17
t0rnkit wzap

• Section of t0rn script that calls wzap
• . . .
• mv wzap /var/log
• cd /var/log
• ./wzap ftp
• mv wtmp.out wtmp
• rm -rf /var/log/wzap
• . . .

18
t0rnkit wzap in use

• ltrace while running wzap

19

• __libc_start_main(0x080485c0, 2, 0xbffff8ec,
  0x080483fc,0x0804876c ltunfinished ...gt
• __register_frame_info(0x08049884, 0x08049980,
  0xbffff8a0,0x08048421, 0x4014a9e4) 0x4014b5e0
• strcpy(0xbffff86c, "ftp")
  0xbffff86c
• printf("\nopening file...\n")
  17
• fopen("wtmp", "r")
  0x08049b30
• printf("opening output file...\n")
  23
• fopen("wtmp.out", "wr")
  0x08049ca0
• printf("working...\n")
  11
• feof(0x08049b30)
  0
• fread(0x080499a0, 384, 1, 0x08049b30)
  1
• strncmp("dittrich", "ftp", 8)
  -2
• fwrite("\007", 384, 1, 0x08049ca0)
  1
• feof(0x08049b30)
  0
• . . .

20

• . . .
• fread(0x080499a0, 384, 1, 0x08049b30)
  1
• strncmp("ftp", "ftp", 8)
  0
• feof(0x08049b30)
  0
• fread(0x080499a0, 384, 1, 0x08049b30)
  1
• strncmp("", "ftp", 8)
  -102
• fwrite("", 384, 1, 0x08049ca0)
  1
• feof(0x08049b30)
  0
• fread(0x080499a0, 384, 1, 0x08049b30)
  1
• . . .

21
wtmp before wzap

• dittrich pts/3 Fri Aug 24
  1319 - 1330 (0010)
• dittrich pts/0 Fri Aug 24
  1319 still logged in
• dittrich pts/1 Fri Aug 24
  1319 - 2149 (50829)
• dittrich pts/2 Fri Aug 24
  1319 - 1557 (0237)
• dittrich 0 Fri Aug 24
  1319 still logged in
• reboot system boot 2.4.2-2 Fri Aug 24
  1318 (110933)
• root tty1 Fri Aug 24
  1317 - down (0000)
• dittrich 0 Fri Aug 24
  1316 - down (0000)
• root tty2 Fri Aug 24
  1310 - 1316 (0005)
• root tty1 Fri Aug 24
  1310 - 1316 (0006)
• reboot system boot 2.4.2-2 Fri Aug 24
  1308 (0008)
• dittrich pts/1 Fri Aug 24
  1135 - down (0130)
• dittrich pts/0 Fri Aug 24
  1135 - down (0130)
• dittrich 0 Fri Aug 24
  1135 - down (0130)
• reboot system boot 2.4.2-2 Fri Aug 24
  1113 (0153)
• ftp ftpd12458 localhost.locald Fri Aug 24
  0945 - 0946 (0000)
• dittrich pts/1 Fri Aug 24
  0945 - down (0125)
• ftp ftpd12433 localhost.locald Fri Aug 24
  0943 - 0944 (0000)
• dittrich pts/0 Fri Aug 24
  0928 - down (0142)

22
wtmp after wzap

• dittrich pts/3 Fri Aug 24
  1319 - 1330 (0010)
• dittrich pts/0 Fri Aug 24
  1319 still logged in
• dittrich pts/1 Fri Aug 24
  1319 - 2149 (50829)
• dittrich pts/2 Fri Aug 24
  1319 - 1557 (0237)
• dittrich 0 Fri Aug 24
  1319 still logged in
• reboot system boot 2.4.2-2 Fri Aug 24
  1318 (110933)
• root tty1 Fri Aug 24
  1317 - down (0000)
• dittrich 0 Fri Aug 24
  1316 - down (0000)
• root tty2 Fri Aug 24
  1310 - 1316 (0005)
• root tty1 Fri Aug 24
  1310 - 1316 (0006)
• reboot system boot 2.4.2-2 Fri Aug 24
  1308 (0008)
• dittrich pts/1 Fri Aug 24
  1135 - down (0130)
• dittrich pts/0 Fri Aug 24
  1135 - down (0130)
• dittrich 0 Fri Aug 24
  1135 - down (0130)
• reboot system boot 2.4.2-2 Fri Aug 24
  1113 (0153)
• dittrich pts/1 Fri Aug 24
  0945 - down (0125)
• dittrich pts/0 Fri Aug 24
  0928 - down (0142)
• dittrich 0 Fri Aug 24
  0928 - down (0142)
• wtmp begins Sun Aug 5 154005 2001

23
t0rnkit wzap in use

• wzap must be run in /var/log
• wzap copied to /var and deleted
• (Can be recovered from /var)
• wtmp file cleaned properly, but not in place
• Original wtmp deleted
• (Can be recovered from /var)

24
wipe features

• USAGE wipe uwla ...options...
• UTMP editing
• Erase all usernames wipe u
  username
• Erase one username on tty wipe u
  username tty
• WTMP editing
• Erase last entry for user wipe w
  username
• Erase last entry on tty wipe w
  username tty
• LASTLOG editing
• Blank lastlog for user wipe l
  username
• Alter lastlog entry wipe l
  username tty time host
• Where time is in the format
  YYMMddhhmm
• ACCT editing
• Erase acct entries on tty wipe a
  username tty

25
wipe in use (ltrace output)

• . . .
• printf("Patching s .... ", "/var/log/wtmp")
  28
• fflush(0x0804a9d0)
  0
• open("/var/log/wtmp", 2, 03766)
  3
• lseek(3, -384, 2, 2038, 0x4003670e)
  68736
• read(3, "\007", 384)
  384
• strlen(0xbffffbbc, 7, 15576, 0x2f737470, 51)
  3
• strncmp("dittrich", "ftp", 3)
  -2
• . . .
• strlen(0xbffffbbc, 0x08090968, 0, 0x64707466,
  0x33343231) 3
• strncmp("ftp", "ftp", 3)
  0
• bzero(0xbffff8e8, 384)
  ltvoidgt
• lseek(3, -384, 1, 0, 0)
  11520
• write(3, "", 384)
  384
• close(3)
  0
• printf("Done.\n")
  6
• exit(0)
  ltvoidgt
• exited (status 0)

26
wipe in use

• Original
• 0003180 8009 0908 0000 0000 6674 7064 3132 3435
  ........ftpd1245
• 0003190 3800 0000 0000 0000 0000 0000 0000 0000
  8...............
• 00031a0 0000 0000 0000 0000 78d8 ffbf 6674 7000
  ........x...ftp.
• After wipe
• 0003180 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• 0003190 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• 00031a0 0000 0000 0000 0000 0000 0000 0000 0000
  ................

27
wipe in use

• Original
• 00031c0 0000 0000 0000 0000 0000 0000 6c6f 6361
  ............loca
• 00031d0 6c68 6f73 742e 6c6f 6361 6c64 6f6d 6169
  lhost.localdomai
• 00031e0 6e00 0000 0000 0000 0000 0000 0000 0000
  n...............
• After wipe
• 00031c0 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• 00031d0 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• 00031e0 0000 0000 0000 0000 0000 0000 0000 0000
  ................

28
wipe in use

• Original
• 00032d0 0000 0000 b884 836b 207a 1040 1140 1410
  ....... z._at_._at_._at_
• 00032e0 c0d9 ffbf 0000 0040 20d9 f0fb fe3d 1040
  ......._at_ ....._at_
• 00032f0 9700 0000 99fc 14a0 10ef fbfe f3fe f35f
  ......._at_.......
• After wipe
• 00032d0 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• 00032e0 0000 0000 0000 0000 0000 0000 0000 0000
  ................
• 00032f0 0000 0000 0000 0000 0000 0000 0000 0000
  ................

29
wipe in use

• Original wtmp edited in place
• wtmp file left with zeroed areas
• wipe may still be in file system somewhere
  (anywhere)

30
marry.c features

• Convert wtmp/utmp/lastlog to text
• Invokes editor on converted file
• Re-writes original in-situ
• Has other "stealth" features

31
Example marry.dmp file

• 00000 dittrich pts/1 ts/1 7 9286
  20010502225034 10.0.0.1 hostname
• 00001 "" pts/1 "" 8 9285
  20010502231052 0.0.0.0 ""
• 00002 dittrich pts/1 ts/1 7 11320
  20010503103800 10.0.0.1 hostname
• 00003 "" pts/1 "" 8 11317
  20010503104241 0.0.0.0 ""
• 00004 dittrich pts/1 /1 7 25438
  20010505172540 0.0.0.0 ""
• 00005 "" pts/8 "" 8 26600
  20010505182523 0.0.0.0 ""
• 00006 dittrich pts/4 ts/4 7 3332
  20010508111744 10.0.0.1 hostname
• 00007 "" pts/4 "" 8 3331
  20010508115759 0.0.0.0 ""
• 00008 dittrich pts/4 /4 7 5038
  20010508230648 0.0.0.0 ""
• 00009 dittrich pts/6 ts/6 7 7136
  20010509110712 10.0.0.1 hostname
• 0000a "" pts/6 "" 8 7135
  20010509121218 0.0.0.0 ""
• 0000b dittrich pts/6 ts/6 7 7637
  20010509143847 10.0.0.1 hostname
• 0000c "" pts/6 "" 8 7636
  20010509144014 0.0.0.0 ""
• 0000d dittrich pts/6 ts/6 7 7807
  20010509154348 10.0.0.1 hostname
• 0000e "" pts/6 "" 8 7806
  20010509232823 0.0.0.0 ""
• 0000f "" "" si 8 9
  20010510084158 0.0.0.0 2.4.9-12custom
• 00010 reboot 2 0
  20010510084158 0.0.0.0 2.4.9-12custom
• 00011 runlevel 1 20021
  20010510084158 0.0.0.0 2.4.9-12custom

32
marry in use on wipe cleaned log file

• 00407 "" ttyp0 p0 8 0
  20010708003633 0.0.0.0 0
• 00408 "" "" "" 0 0
  19691231160000 0.0.0.0 ""
• 00409 "" "" "" 0 0
  19691231160000 0.0.0.0 ""
• 0040a "" "" "" 0 0
  19691231160000 0.0.0.0 ""
• 0040b "" "" "" 0 0
  19691231160000 0.0.0.0 ""
• 0040c "" "" "" 0 0
  19691231160000 0.0.0.0 ""
• 0040d "" pts/1 "" 8 1755
  20010708163736 0.0.0.0 ""
• 0040e "" "" "" 0 0
  19691231160000 0.0.0.0 ""
• 0040f "" "" "" 0 0
  19691231160000 0.0.0.0 ""
• 00410 "" pts/1 "" 8 1968
  20010708195947 0.0.0.0 ""
• 00411 root pts/1 /1 7 2244
  20010708200833 0.0.0.0 ""
• 00412 root pts/2 /2 7 2285
  20010708201005 0.0.0.0 ""
• 00413 root pts/1 /1 8 2244
  20010708201551 0.0.0.0 ""
• 00414 root pts/2 /2 8 2285
  20010708201554 0.0.0.0 ""
• 00415 root pts/1 /1 7 2348
  20010708201558 0.0.0.0 ""
• 00416 root pts/1 /1 8 2348
  20010708204818 0.0.0.0 ""
• 00417 root pts/0 /0 8 1204
  20010708204833 0.0.0.0 ""
• 00418 root pts/0 /0 7 3459
  20010708213206 0.0.0.0 ""
• 00419 root pts/1 /1 7 3855
  20010708214424 0.0.0.0 ""

33
Countering concealment

• Look for ways around rootkits
• Alternate commands
• Analysis kits
• Look for corroborating evidence
• Other logs (e.g., ssh logins, su logs)
• Active/deleted file metadata
• Deleted file contents (esp. sniffer logs!)
• Look for second sources (external)
• Network traffic flows
• Logs on servers
• Logins to/from other hosts

34
Conclusions

• You can't trust what you see
• ...or what you don't see
• You can find (most) answers
• ...but you have to look hard
• We know Tools Are Good!
• ...but what tools DONT we know about?