Title: Module 3 Concealment and Log Alteration
1Module 3Concealment and Log Alteration
Highline Community College Seattle University
University of Washington in conjunction
with the National Science Foundation
2Topics
- Hexadecimal ASCII/numeric data
- Alteration of logs
- Examples
3ASCII text file
- cat hexcharacters.txt
- 0123456789ABCDEF
- 0123456789ABCDEF
- 0123456789ABCDEF
- 0123456789ABCDEF
- 0123456789ABCDEF
- 0123456789ABCDEF
4 man ascii
- NAME
- ascii - octal, hexadecimal and decimal ASCII
character sets - DESCRIPTION
-
- The hexadecimal set
- 00 nul 01 soh 02 stx 03 etx 04 eot
05 enq 06 ack 07 bel - 08 bs 09 ht 0a nl 0b vt 0c np
0d cr 0e so 0f si - 10 dle 11 dc1 12 dc2 13 dc3 14 dc4
15 nak 16 syn 17 etb - 18 can 19 em 1a sub 1b esc 1c fs
1d gs 1e rs 1f us - 20 sp 21 ! 22 " 23 24
25 26 27 ' - 28 ( 29 ) 2a 2b 2c ,
2d - 2e . 2f / - 30 0 31 1 32 2 33 3 34 4
35 5 36 6 37 7 - 38 8 39 9 3a 3b 3c lt
3d 3e gt 3f ? - 40 _at_ 41 A 42 B 43 C 44 D
45 E 46 F 47 G - 48 H 49 I 4a J 4b K 4c L
4d M 4e N 4f O - 50 P 51 Q 52 R 53 S 54 T
55 U 56 V 57 W
5Hexadecimal (base16) dump
- hexdump -C hexcharacters.txt
- 00000000 30 31 32 33 34 35 36 37 38 39 41 42 43
44 45 46 0123456789ABCDEF - 00000010 0a 30 31 32 33 34 35 36 37 38 39 41 42
43 44 45 .0123456789ABCDE - 00000020 46 0a 30 31 32 33 34 35 36 37 38 39 41
42 43 44 F.0123456789ABCD - 00000030 45 46 0a 30 31 32 33 34 35 36 37 38 39
41 42 43 EF.0123456789ABC - 00000040 44 45 46 0a 30 31 32 33 34 35 36 37 38
39 41 42 DEF.0123456789AB - 00000050 43 44 45 46 0a 30 31 32 33 34 35 36 37
38 39 41 CDEF.0123456789A - 00000060 42 43 44 45 46 0a
BCDEF. - 00000066
6Concealment using "Rootkits"
- Replacement of operating system commands or
system calls - Two fundamental types
- Application (User) Level
- Kernel Level
- Configuration file(s) to control hiding
- Often simple to identify/bypass, but can be very
difficult to detect/disablehttp//staff.washingt
on.edu/dittrich/misc/faqs/rootkits.faq
7Alteration of logs
- Types of logs
- Ways to clean logs
- Disable logging for future
8Types of logs
- Text
- Unix syslog
- Apache access logs
- Binary
- Unix utmp/wtmp/lastlog
- Windows Event logs
9Ways to clean logs
- Delete (or shred)
- Filter Delete
- Edit in place
10Disable logging
- Kill syslogd
- Link log files to /dev/null
- Edit/delete syslog configuration file
- Fill partition containing log files
11Deleting login entries from Unix wtmp
- How does wtmp logging work?
- Examples
- Using wzap
- Using wipe
- Using marry
12How does wtmp logging work?
- Definition of wtmp entryFrom /usr/include/bits/ut
mp.h
UT_LINESIZE is 32 bytes UT_NAMESIZE is 32
bytes UT_HOSTSIZE is 256 bytes . . .
13 UT_LINESIZE is 32 bytes UT_NAMESIZE is 32
bytes UT_HOSTSIZE is 256 bytes / The
structure describing an entry in the user
accounting database. / struct utmp short
int ut_type / Type of login. /
pid_t ut_pid / Process ID of
login process. / char ut_lineUT_LINESIZE
/ Devicename. / char ut_id4
/ Inittab ID. / char ut_userUT_NAMESIZE
/ Username. / char ut_hostUT_HOSTSIZE
/ Hostname for remote login. / struct
exit_status ut_exit / Exit status of a
process marked
as DEAD_PROCESS. / long int ut_session
/ Session ID, used for windowing. /
struct timeval ut_tv / Time entry was
made. / int32_t ut_addr_v64 /
Internet address of remote host. / char
__unused20 / Reserved for future
use. /
14Output of last
- reboot system boot 2.4.2-2 Fri Aug
24 1113 (0153) - ftp ftpd12458 localhost.locald Fri Aug
24 0945 - 0946 (0000) - dittrich pts/1 Fri Aug
24 0945 - down (0125) - ftp ftpd12433 localhost.locald Fri Aug
24 0943 - 0944 (0000) - dittrich pts/0 Fri Aug
24 0928 - down (0142) - dittrich 0 Fri Aug
24 0928 - down (0142) - dittrich pts/0 Fri Aug
24 0924 - 0928 (0003) - dittrich pts/6 Sun Aug
19 1143 - 1345 (20202) - dittrich pts/1 Sun Aug
19 0132 - 1327 (21154) - dittrich pts/5 Sun Aug
19 0126 - 0923 (50756) - dittrich pts/4 Sun Aug
19 0123 - 0923 (50800) - dittrich pts/0 Sun Aug
19 0119 - 0924 (50804) - dittrich pts/6 Sat Aug
18 2126 - 0118 (0352) - dittrich pts/5 Sat Aug
18 2116 - 0119 (0402) - dittrich pts/4 Sat Aug
18 2114 - 0119 (0404) - dittrich pts/3 Sat Aug
18 1515 - 0924 (51808) - dittrich pts/1 Sat Aug
18 1321 - 0132 (1211) - dittrich pts/2 Sun Aug
5 1549 - 2113 (130524) - dittrich pts/0 Sun Aug
5 1540 - 0118 (130938)
15Hex dump of wtmp file
- 0000000 0700 0000 e404 0000 7074 732f 3000 0000
........pts/0... - 0000010 0000 0000 0000 0000 0000 0000 0000 0000
................ - 0000020 0000 0000 0000 0000 2f30 0000 6469 7474
......../0..ditt - 0000030 7269 6368 0000 0000 0000 0000 0000 0000
rich............ - 0000040 0000 0000 0000 0000 0000 0000 0000 0000
................ - 0000050 0000 0000 0000 0000 0000 0000 0000 0000
................ - . . .
- 0000140 0000 0000 0000 0000 0000 0000 0000 0000
................ - 0000150 0000 0000 45cb 6d3b 8325 0a00 0000 0000
....E.m....... - 0000160 0000 0000 0000 0000 0000 0000 0000 0000
................ - 0000170 0000 0000 0000 0000 0000 0000 0000 0000
................
16- 0000000 0700 0000 e404 0000 7074 732f 3000 0000
........pts/0... - -type-- --pid-- ------------------
- 0000010 0000 0000 0000 0000 0000 0000 0000 0000
................ - -------------device name---------------
- 0000020 0000 0000 0000 0000 2f30 0000 6469 7474
......../0..ditt - ------------------ ---id-- --------
- 0000030 7269 6368 0000 0000 0000 0000 0000 0000
rich............ - --------------username-----------------
- 0000040 0000 0000 0000 0000 0000 0000 0000 0000
................ - ---------------------------- --------
- . . .
- 0000140 0000 0000 0000 0000 0000 0000 0000 0000
................ - ---------------hostname----- --exit--
- 0000150 0000 0000 45cb 6d3b 8325 0a00 0000 0000
....E.m....... - -------- ------time------- --------
- 0000160 0000 0000 0000 0000 0000 0000 0000 0000
................ - ---------IP address--------- --------
- 0000170 0000 0000 0000 0000 0000 0000 0000 0000
................ - ------------reserved------------------
17t0rnkit wzap
- Section of t0rn script that calls wzap
- . . .
- mv wzap /var/log
- cd /var/log
- ./wzap ftp
- mv wtmp.out wtmp
- rm -rf /var/log/wzap
- . . .
18t0rnkit wzap in use
- ltrace while running wzap
19- __libc_start_main(0x080485c0, 2, 0xbffff8ec,
0x080483fc,0x0804876c ltunfinished ...gt - __register_frame_info(0x08049884, 0x08049980,
0xbffff8a0,0x08048421, 0x4014a9e4) 0x4014b5e0 - strcpy(0xbffff86c, "ftp")
0xbffff86c - printf("\nopening file...\n")
17 - fopen("wtmp", "r")
0x08049b30 - printf("opening output file...\n")
23 - fopen("wtmp.out", "wr")
0x08049ca0 - printf("working...\n")
11 - feof(0x08049b30)
0 - fread(0x080499a0, 384, 1, 0x08049b30)
1 - strncmp("dittrich", "ftp", 8)
-2 - fwrite("\007", 384, 1, 0x08049ca0)
1 - feof(0x08049b30)
0 - . . .
20- . . .
- fread(0x080499a0, 384, 1, 0x08049b30)
1 - strncmp("ftp", "ftp", 8)
0 - feof(0x08049b30)
0 - fread(0x080499a0, 384, 1, 0x08049b30)
1 - strncmp("", "ftp", 8)
-102 - fwrite("", 384, 1, 0x08049ca0)
1 - feof(0x08049b30)
0 - fread(0x080499a0, 384, 1, 0x08049b30)
1 - . . .
21wtmp before wzap
- dittrich pts/3 Fri Aug 24
1319 - 1330 (0010) - dittrich pts/0 Fri Aug 24
1319 still logged in - dittrich pts/1 Fri Aug 24
1319 - 2149 (50829) - dittrich pts/2 Fri Aug 24
1319 - 1557 (0237) - dittrich 0 Fri Aug 24
1319 still logged in - reboot system boot 2.4.2-2 Fri Aug 24
1318 (110933) - root tty1 Fri Aug 24
1317 - down (0000) - dittrich 0 Fri Aug 24
1316 - down (0000) - root tty2 Fri Aug 24
1310 - 1316 (0005) - root tty1 Fri Aug 24
1310 - 1316 (0006) - reboot system boot 2.4.2-2 Fri Aug 24
1308 (0008) - dittrich pts/1 Fri Aug 24
1135 - down (0130) - dittrich pts/0 Fri Aug 24
1135 - down (0130) - dittrich 0 Fri Aug 24
1135 - down (0130) - reboot system boot 2.4.2-2 Fri Aug 24
1113 (0153) - ftp ftpd12458 localhost.locald Fri Aug 24
0945 - 0946 (0000) - dittrich pts/1 Fri Aug 24
0945 - down (0125) - ftp ftpd12433 localhost.locald Fri Aug 24
0943 - 0944 (0000) - dittrich pts/0 Fri Aug 24
0928 - down (0142)
22wtmp after wzap
- dittrich pts/3 Fri Aug 24
1319 - 1330 (0010) - dittrich pts/0 Fri Aug 24
1319 still logged in - dittrich pts/1 Fri Aug 24
1319 - 2149 (50829) - dittrich pts/2 Fri Aug 24
1319 - 1557 (0237) - dittrich 0 Fri Aug 24
1319 still logged in - reboot system boot 2.4.2-2 Fri Aug 24
1318 (110933) - root tty1 Fri Aug 24
1317 - down (0000) - dittrich 0 Fri Aug 24
1316 - down (0000) - root tty2 Fri Aug 24
1310 - 1316 (0005) - root tty1 Fri Aug 24
1310 - 1316 (0006) - reboot system boot 2.4.2-2 Fri Aug 24
1308 (0008) - dittrich pts/1 Fri Aug 24
1135 - down (0130) - dittrich pts/0 Fri Aug 24
1135 - down (0130) - dittrich 0 Fri Aug 24
1135 - down (0130) - reboot system boot 2.4.2-2 Fri Aug 24
1113 (0153) - dittrich pts/1 Fri Aug 24
0945 - down (0125) - dittrich pts/0 Fri Aug 24
0928 - down (0142) - dittrich 0 Fri Aug 24
0928 - down (0142) - wtmp begins Sun Aug 5 154005 2001
23t0rnkit wzap in use
- wzap must be run in /var/log
- wzap copied to /var and deleted
- (Can be recovered from /var)
- wtmp file cleaned properly, but not in place
- Original wtmp deleted
- (Can be recovered from /var)
24wipe features
- USAGE wipe uwla ...options...
- UTMP editing
- Erase all usernames wipe u
username - Erase one username on tty wipe u
username tty - WTMP editing
- Erase last entry for user wipe w
username - Erase last entry on tty wipe w
username tty - LASTLOG editing
- Blank lastlog for user wipe l
username - Alter lastlog entry wipe l
username tty time host - Where time is in the format
YYMMddhhmm - ACCT editing
- Erase acct entries on tty wipe a
username tty
25wipe in use (ltrace output)
- . . .
- printf("Patching s .... ", "/var/log/wtmp")
28 - fflush(0x0804a9d0)
0 - open("/var/log/wtmp", 2, 03766)
3 - lseek(3, -384, 2, 2038, 0x4003670e)
68736 - read(3, "\007", 384)
384 - strlen(0xbffffbbc, 7, 15576, 0x2f737470, 51)
3 - strncmp("dittrich", "ftp", 3)
-2 - . . .
- strlen(0xbffffbbc, 0x08090968, 0, 0x64707466,
0x33343231) 3 - strncmp("ftp", "ftp", 3)
0 - bzero(0xbffff8e8, 384)
ltvoidgt - lseek(3, -384, 1, 0, 0)
11520 - write(3, "", 384)
384 - close(3)
0 - printf("Done.\n")
6 - exit(0)
ltvoidgt - exited (status 0)
26wipe in use
- Original
- 0003180 8009 0908 0000 0000 6674 7064 3132 3435
........ftpd1245 - 0003190 3800 0000 0000 0000 0000 0000 0000 0000
8............... - 00031a0 0000 0000 0000 0000 78d8 ffbf 6674 7000
........x...ftp. -
- After wipe
- 0003180 0000 0000 0000 0000 0000 0000 0000 0000
................ - 0003190 0000 0000 0000 0000 0000 0000 0000 0000
................ - 00031a0 0000 0000 0000 0000 0000 0000 0000 0000
................ -
27wipe in use
- Original
- 00031c0 0000 0000 0000 0000 0000 0000 6c6f 6361
............loca - 00031d0 6c68 6f73 742e 6c6f 6361 6c64 6f6d 6169
lhost.localdomai - 00031e0 6e00 0000 0000 0000 0000 0000 0000 0000
n............... - After wipe
- 00031c0 0000 0000 0000 0000 0000 0000 0000 0000
................ - 00031d0 0000 0000 0000 0000 0000 0000 0000 0000
................ - 00031e0 0000 0000 0000 0000 0000 0000 0000 0000
................ -
28wipe in use
- Original
- 00032d0 0000 0000 b884 836b 207a 1040 1140 1410
....... z._at_._at_._at_ - 00032e0 c0d9 ffbf 0000 0040 20d9 f0fb fe3d 1040
......._at_ ....._at_ - 00032f0 9700 0000 99fc 14a0 10ef fbfe f3fe f35f
......._at_....... - After wipe
- 00032d0 0000 0000 0000 0000 0000 0000 0000 0000
................ - 00032e0 0000 0000 0000 0000 0000 0000 0000 0000
................ - 00032f0 0000 0000 0000 0000 0000 0000 0000 0000
................ -
29wipe in use
- Original wtmp edited in place
- wtmp file left with zeroed areas
- wipe may still be in file system somewhere
(anywhere)
30marry.c features
- Convert wtmp/utmp/lastlog to text
- Invokes editor on converted file
- Re-writes original in-situ
- Has other "stealth" features
31Example marry.dmp file
- 00000 dittrich pts/1 ts/1 7 9286
20010502225034 10.0.0.1 hostname - 00001 "" pts/1 "" 8 9285
20010502231052 0.0.0.0 "" - 00002 dittrich pts/1 ts/1 7 11320
20010503103800 10.0.0.1 hostname - 00003 "" pts/1 "" 8 11317
20010503104241 0.0.0.0 "" - 00004 dittrich pts/1 /1 7 25438
20010505172540 0.0.0.0 "" - 00005 "" pts/8 "" 8 26600
20010505182523 0.0.0.0 "" - 00006 dittrich pts/4 ts/4 7 3332
20010508111744 10.0.0.1 hostname - 00007 "" pts/4 "" 8 3331
20010508115759 0.0.0.0 "" - 00008 dittrich pts/4 /4 7 5038
20010508230648 0.0.0.0 "" - 00009 dittrich pts/6 ts/6 7 7136
20010509110712 10.0.0.1 hostname - 0000a "" pts/6 "" 8 7135
20010509121218 0.0.0.0 "" - 0000b dittrich pts/6 ts/6 7 7637
20010509143847 10.0.0.1 hostname - 0000c "" pts/6 "" 8 7636
20010509144014 0.0.0.0 "" - 0000d dittrich pts/6 ts/6 7 7807
20010509154348 10.0.0.1 hostname - 0000e "" pts/6 "" 8 7806
20010509232823 0.0.0.0 "" - 0000f "" "" si 8 9
20010510084158 0.0.0.0 2.4.9-12custom - 00010 reboot 2 0
20010510084158 0.0.0.0 2.4.9-12custom - 00011 runlevel 1 20021
20010510084158 0.0.0.0 2.4.9-12custom
32marry in use on wipe cleaned log file
- 00407 "" ttyp0 p0 8 0
20010708003633 0.0.0.0 0 - 00408 "" "" "" 0 0
19691231160000 0.0.0.0 "" - 00409 "" "" "" 0 0
19691231160000 0.0.0.0 "" - 0040a "" "" "" 0 0
19691231160000 0.0.0.0 "" - 0040b "" "" "" 0 0
19691231160000 0.0.0.0 "" - 0040c "" "" "" 0 0
19691231160000 0.0.0.0 "" - 0040d "" pts/1 "" 8 1755
20010708163736 0.0.0.0 "" - 0040e "" "" "" 0 0
19691231160000 0.0.0.0 "" - 0040f "" "" "" 0 0
19691231160000 0.0.0.0 "" - 00410 "" pts/1 "" 8 1968
20010708195947 0.0.0.0 "" - 00411 root pts/1 /1 7 2244
20010708200833 0.0.0.0 "" - 00412 root pts/2 /2 7 2285
20010708201005 0.0.0.0 "" - 00413 root pts/1 /1 8 2244
20010708201551 0.0.0.0 "" - 00414 root pts/2 /2 8 2285
20010708201554 0.0.0.0 "" - 00415 root pts/1 /1 7 2348
20010708201558 0.0.0.0 "" - 00416 root pts/1 /1 8 2348
20010708204818 0.0.0.0 "" - 00417 root pts/0 /0 8 1204
20010708204833 0.0.0.0 "" - 00418 root pts/0 /0 7 3459
20010708213206 0.0.0.0 "" - 00419 root pts/1 /1 7 3855
20010708214424 0.0.0.0 ""
33Countering concealment
- Look for ways around rootkits
- Alternate commands
- Analysis kits
- Look for corroborating evidence
- Other logs (e.g., ssh logins, su logs)
- Active/deleted file metadata
- Deleted file contents (esp. sniffer logs!)
- Look for second sources (external)
- Network traffic flows
- Logs on servers
- Logins to/from other hosts
34Conclusions
- You can't trust what you see
- ...or what you don't see
- You can find (most) answers
- ...but you have to look hard
- We know Tools Are Good!
- ...but what tools DONT we know about?