لطفا منتظر باشید ...
Chapter 15. Connecting through the intruder's backdoor had the added advantage of concealing the fact that the examiner was connected to the system, reducing the risk of alerting the intruder to his presence:
examiner1% script host32-062202-case14524
Script started on Sat Jun 22 13:58:15 2002
examiner1% ssh -l backdoor_account host32.corpX.com
Last login: Thu Jun 20 07:15:55 on pts/2
# w
1:58pm up 83 day(s), 8:56, 0 users, load average: 0.02, 0.02, 0.07
User tty login@ idle JCPU PCPU what
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 0 0 0 Apr 01 ? 0:00 sched
root 1 0 0 Apr 01 ? 1:28 /etc/init -
root 2 0 0 Apr 01 ? 0:06 pageout
root 3 0 0 Apr 01 ? 175:52 fsflush
root 349 346 0 Apr 01 ? 0:01 /usr/lib/saf/listen tcp
root 201 1 0 Apr 01 ? 3:09 /usr/sbin/cron
root 346 1 0 Apr 01 ? 0:01 /usr/lib/saf/sac -t 300
<cut for brevity>
nobody 320 1 0 Apr 01 ? 0:04/oracle/bin/oraweb -C /or
oracle 22493 1 0 May 25 ? 7:59 ora_smon_finance1
oracle 22487 1 0 May 25 ? 0:05 ora_pmon_finance1
oracle 22491 1 0 May 25 ? 18:49 ora_lgwr_finance1
oracle 22489 1 0 May 25 ? 55:09 ora_dbwr_finance1
oracle 22495 1 0 May 25 ? 0:02 ora_reco_finance1
oracle 14401 1 0 May 10 ? 8:36 ora_smon_finance2
oracle 14399 1 0 May 10 ? 3:14 ora_lgwr_finance2
oracle 14397 1 0 May 10 ? 7:02 ora_dbwr_finance2
oracle 14395 1 0 May 10 ? 0:02 ora_pmon_finance2
<cut for brevity>
root 15718 1 0 Jun 17 ? 30:09 ./solsniffer -s
root 23656 23652 1 13:58:34 pts/1 0:00 ps -ef
# cd /usr/share/man/...
# ls -altc
total 4950
-rw-rw-r-- 1 root root 911381 Jun 22 13:57 log
drwxrwxrwt 4 sys sys 1024 Jun 22 04:00 ‥
drwxrwxr-x 2 root root 512 Jun 17 17:07 .
-rwx--x--x 1 root root 19996 Jun 17 17:07 solsniffer
# md5 log
md5: Command not found.
# cat log
<sniffer log cut for brevity>
# scp log examiner@examiner1.corpX.com:/e1/case14524/host32-log-062202
# mail examiner@corpX.com < log
Anticipating that the intruder would return, the examiner monitored network traffic to the compromised hosts using Argus. That evening, the intruder was observed gaining unauthorized access to one of the compromised hosts from another system on the network:
examiner1% ra -r argus.out host 192.168.0.101
22 Jun 02 23:26:56 tcp 192.168.0.5.2444 -> 192.168.0.101.ssh EST
22 Jun 02 23:28:05 tcp 192.168.0.5.2444 -> 192.168.0.101.ssh EST
22 Jun 02 23:29:26 tcp 192.168.0.5.2444 -> 192.168.0.101.ssh FIN
The examiner connected to the compromised host (192.168.0.101) through the intruder's backdoor, gathered digital evidence from memory, shut the system down, and collected the hardware as evidence. In this way, the intruder's presence on the compromised host was documented and the original hardware was preserved for later analysis.The examiner determined that the intruder was using a stolen account on an internal system (192.168.0.5) to launch attacks against other hosts on the network. The firewall, intrusion detection system, and the router that generated NetFlow logs were not between the launch pad and the target hosts. This explained how the intruder had been able to target the vulnerable ports on the compromised systems even though they were protected by a firewall. This also explained why the intrusion detection systems and NetFlow logs did not contain any useful data. Incidentally, as a result of the lessons learned from this incident, Corporation X installed permanent Argus probes on all of their important network segments to ensure that these logs were available in the future.The intruder had stored tools in a hidden directory of this stolen account but had not been able to erase system log files. The examiner collected the log files and contents of the stolen account as evidence. Logon records from the stolen account contained the IP address of a computer on a business partner's network - Business Z in San Francisco:
host5% last stolen_account
stolen_account pts/3 172.16.12.15 Sat Jun 22 23:24 still logged in
stolen_account pts/22 172.16.12.15 Thu Jun 20 07:13 - 07:37 (00:24)
stolen account pts/5 172.16.12.15 Mon Jun 17 16:51 - 17:38 (00:47)
wtmp begins Sun Jun 16 19:10:54 2002
The examiner called his counterpart in Business Z on her mobile phone to inform her of the problem. She quickly determined the Windows NT system in question (172.16.12.15) was running a Trojan horse program (Back Orifice 2000) and did not contain any logs containing the intruder's IP address. Also, Business Z's intrusion detection system logs did not contain any alerts relating to the compromised Windows NT system, probably because connections between the Back Orifice client and server were encrypted. However, Business Z's NetFlow logs did show incoming connections to the compromised Windows NT system and subsequent outgoing connections to the machine on Corporation X's network:
flow% flow-cat /netflow/2002-06-22/ft-v05.2002-06-22.203000 | flow-filter -
Dbo2k -f ./bo2k-062202.acl | flow-print -f5
Start End SrcIPaddress SrcP DstIPaddress DstP Octets
0622.20:20 0622.20:49 10.145.32.24 2584 172.16.12.15 443 2412085
flow% flow-cat /netflow/2002-06-22/ft-v05.2002-06-22.203000 | flow-filter -
Sbo2k -f ./bo2k-062202.acl | flow-print -f5
Start End SrcIPaddress SrcP DstIPaddress DstP Octets
0622.20:20 0622.20:50 172.16.12.15 443 10.145.32.24 2584 3660674
0622.20:23 0622.20:43 172.16.12.15 1927 192.168.0.5 22 3457683
The two examiners corrected the time zone difference between New York and San Francisco and confirmed that these connections corresponded to the logon records from the stolen account. They immediately contacted the ISP that the intruder was using and asked them to preserve evidence on their systems relating to the intrusions.The organizations then reported the incident to the FBI and provided them with enough information to obtain subscriber details from the ISP used by the intruder. The FBI determined that the dial-up account used by the intruder had been stolen. Fortunately, the ISP had Automatic Number Identification (ANI) records that contained the intruder's home telephone number:
To: FBIFrom: ISPDate: 06/30/02Re: Case #14524The following is the information you requested in the Subpoena of the United States District Court in the District of New York, dated 06/25/02, which I have enclosed. The information is correct to the best of my knowledge and I will keep records of my investigation until you tell me otherwise.You requested the information pertaining to the following connections:
Username:
janedoe
IP address assigned:
10.145.32.24
Time of connection:
23:22:38 (EST5EDT) Jun 22, 2002
Time of disconnect:
23:54:12 (EST5EDT) Jun 22, 2002
ANI information:
(510) 555-2356
Username:
janedoe
IP address assigned:
10.145.32.17
Time of connection:
07:12:54 (EST5EDT) Jun 20, 2002
Time of disconnect:
07:40:06 (EST5EDT) Jun 20, 2002
ANI information:
(510) 555-2356
Username:
janedoe
IP address assigned:
10.145.32.105
Time of connection:
16:32:17 (EST5EDT) Jun 17, 2002
Time of disconnect:
18:53:32 (EST5EDT) Jun 17, 2002
ANI information:
(510) 555-2356
After performing a background check and further investigation to satisfying themselves that the resident of the house was responsible for the connections, the FBI obtained a search warrant and seized the suspect's computers. An examination of these computers revealed many links with Corporation X's compromised servers, including sensitive data captured in sniffer logs. Faced with overwhelming evidence, the suspect admitted his involvement and provided the FBI with a list of his accomplices.[12]This case example is based on abstracted lessons from various investigations. Any resemblance to actual incidents is coincidental.
