Progression of a Hack and Detecting Intruders

1
Progression of a Hack and Detecting Intruders

• Web 2003 Pre-conference Tutorial
• Laurie Walters
• Lwalters_at_psu.edu

2
Progression Of A Hack

• Exploration
• Exploitation
• Code and/or Data Uploaded to System
• Data Downloaded from System
• Code Installed to Retain Access
• Evidence Removal
• Note not all steps are followed every time a
  machine is hacked.

3
Exploration

• Passive Exploration
• Social engineering
• Physical exploration
• Web reconnaissance
• Active Exploration
• Scanning
• May be either or both

4
Exploitation

• May be gained numerous ways, including
• Weak OS ACLs
• Lack of/ weak OS and/or application passwords
• Access through insecure / vulnerable /
  mis-configured services, programs, or scripts
• Denial of service attacks
• Privilege escalation attacks
• Etc

5
Code and/or Data Uploaded to Hacked Machine

• Usually contains tools to escalate privileges,
  scripts to set up software on hacked machine,
  malicious code installed to scan for other
  vulnerable machines, web pages defaced, Tools to
  hide ones tracks, etc.

6
Data Downloaded From Hacked Machine

• E.g. Passwords, list of other vulnerable
  machines, etc

7
Code Installed to Retain Access

• E.g. Trojan Horses, Backdoors, VNC, SSH,
  DameWare, etc.

8
Evidence Removal

• Event Logs for applications, OS cleared
• Can be manual or through tools / scripts

9
Steps For Detecting Intruders

• Examine Logs
• Examine Recent Connections to Server
• Determine All Processes that are running
• Investigate Processes
• Compare MD5 Checksums / Search for file
  modifications
• Look through directories commonly used to store
  illegitimate materials
• Examine processes that are loaded upon boot
• Additional things to look for

10
Examine Logs

• Look through Web Server Logs
• Look for a lot of 400-based errors followed by
  some 200 errors
• Look through Firewall Logs
• Look for invalid access addresses, ports,
  repeated connection attempts, etc.
• Examine System Logs
• Look for account login attempts, privilege,
  policy, and account modification attempts/
  successes/ failure, etc.

11
Common Web Breaches

• Buffer Overflows (XXXXXXXXXXXXXXXcode)
• Directory Traversal (../../../cwinnt/system32/cmd
  .exe)
• Canonicalization (Various file names are
  equivalent and location of file is mixed up
• Request unusual action using cmd.exe, .bat
• Encoded using an alternate character set (e.g.
  Unicode) or include character sequences that are
  rarely seen in legitimate requests.
• All of above used for recent worms (e.g.
  IIS/Sadmind, Code Red, Code Red 2, Nimda)

12
Example Looking Through Web Logs

• Cmd.exe was copied and used to run a script which
  defaced the web server.

13
Ports

• Definition An endpoint to a data connection.
• 65536 ports (commonly 1-65535)
• Well Known ports defined by IANA
• 1-1024 Usually reserved ports
• 1025-1099 Ephemeral ports
• 1100-65535 Open ports

14
Examine Recent Connections to Server

• Netstat natp (Linux)
• Lsof i (Solaris)
• Netstat na (Other flavors of Unix and Windows)
• Look especially for connections other than local
  IP address, 127.0.0.1, and 0.0.0.0

15
Determine All Processes That Are Running

• In Unix, use the lsof command to list processes
  that are currently running
• In Windows, use a program such as Fport, TCPView,
  etc.
• You can telnet to open ports to see if they
  display a banner E.g. telnet 127.0.0.1 6129

16
Fport Sample

• C\FPortgtfportFPort v1.31 - TCP/IP Process to
  Port MapperCopyright 2000 by Foundstone,
  Inc.http//www.foundstone.comSecuring the dot com
  World
• Pid   Process        Port  Proto Path
• 416   svchost  -gt 135   TCP  
  C\WINNT\system32\svchost.exe
• 8     System    -gt 139   TCP
• 8     System    -gt 445   TCP
• 676   MSTask  -gt 1025  TCP   C\WINNT\system32\M
  STask.exe
• 952   navapw -gt  31028  TCP   C\PROGRA1\NORTON1
  \navapw32.exe
• 416   svchost -gt  135   UDP  
  C\WINNT\system32\svchost.exe
• 8     System  -gt   137   UDP
• 8     System -gt    138   UDP
• 8     System -gt   445   UDP
• 252   lsass   -gt  500   UDP  
  C\WINNT\system32\lsass.exe
• 240   services-gt -1026  UDP  
  C\WINNT\system32\services.exe
• 888   iexplore -gt 1029  UDP   C\Program
  Files\Internet Explorer\iexplore.exe

17
Example TCPView

• TCPView has a graphical Interface, unlike FPort

18
Backdoors Found

• telnet 130.203.x.x 673
• Login
• telnet 130.203.x.x 4160
• Login
• telnet 130.203.x.x 6129
• Escape character is ''.
• 0Wp_at_

19
Use Strings on ps and ls

• If there are any signs of directory entries in
  the output, navigate to that directory.
  Commonly, there will be other hidden programs in
  the directory contained in the output.

20
Use Statically-Compiled Binaries for Unix

• After building a system, create a backup cd or
  floppy of statically compiled versions of ls, ps,
  etc.
• Ls may display incorrect dates / times or a
  partial or incorrect list of files and
  directories. Ps may list incomplete or incorrect
  processes
• Use which to determine location of command
• Then use ldd to locate all of the shared
  libraries for the command.
• All of the shared libraries must be copied and
  compiled to make a backup

21
Investigate Processes

• Navigate to the directory of the processes that
  are running and do a close examination of the
  size and time of the file.
• In Unix, run ls lact, which will show a detailed
  listing sorted by the time the file or directory
  was modified.
• In Windows, look at the properties of the file to
  determine time, size, author, description, owner,
  etc.

22
Compare MD5 Checksums / Search for file
modifications

• If Tripwire was installed, perform a check of MD5
  checksums to see if files have been modified
• Otherwise, you can search the hard drive for
  files modified since date of the suspected
  intrusion
• In Unix, find ctime
• In Windows, use Search by modification feature

23
Look Through Directories Commonly Used to Store
Illegitimate Materials

• In Unix, check /tmp/ and /etc/. Entries might
  also be modified or hidden in /dev/ and library
  directories such as /lib/, /usr/lib/, and
  /usr/X11/. The /etc/ld.so.conf file will give
  library directory locations.
• In Windows, check for new folders in C/Winnt (or
  Windows)/System32. There are often folders added
  to the /Setup/ directory of System32. Also, look
  for hidden folders in the Recycler bin.

24
Example Tools Uploaded to Web Server

• Lots of tools were found in the
  C/Winnt/System32/Setup directory including
  Password Dump, Netcat, Serv-U FTP Server, etc.

25
Check for Processes Loaded Upon System Boot

• For non-BSD based Unix, check the /etc/rc.d
  files.
• For BSD based Unix, examine the following files
  for extraneous processes /etc/rc.system,
  /etc/rc.local, and /etc/rc.startup
• For Windows, use regedit to look at the
  following HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\W
  indows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\S
  OFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

26
Additional Things to Look for If You Suspect a
Compromise

• After all processes and files have been examined
  and accounted for, check other directory
  permissions, system accounts, policies, firewall
  rules, etc. to be sure that that they have not
  been modified.

27
Im Compromised, Now What?

• Contact Security (security_at_psu.edu or (814)
  863-9533)
• Format and Reinstall rather than attempting to
  fix the problem.