[lug] intrusion

Ken MacFerrin lists at macferrin.com
Thu Jun 14 02:27:28 MDT 2007


gordongoldin at aim.com wrote:
> There was a funny UID - easypwn.
> Changed the passwd, later saw:
> easypwn tried to get in, failed, then another "don't know who it is
> userID" mailmn got on from same IP.
> The easypwn tried to get in again and logged in successfully.
> 
> Looking around, I saw:
>  ...porn.zip in a temp file
> 
> Due to powers that be, I can't just shut this down.
> 
> Has anyone seen something like this before?
> (Hoping this is something less than a rootkit.)
> 
> What's the short list of cleaning procedures/lockdowns while taking this
> machine out of service?

If it's a root kit then it's poorly thought through (or the attacker
just doesn't care).  Any good rootkit would have hidden the attackers
UID and processes to remain undetected.

If you really want to run forensics on this machine then do not turn if
off yet.  You'll need to gather live data before rebooting because it's
possible the attacker may have loaded a "bad" process into memory and
then deleted the original binary to help avoid detection.

1) create a read-only cd or floppy from another machine with a trusted
set of binaries (bash, ls, dd, file, w, find, lsof, md5sum, lsmod,
strings, etc..).

2) mount this disk on the infected machine along with something like a
blank USB drive so that you have somewhere clean to store the data
you're collecting without further contaminating the hard disk filesystem.

3) Run the "w" command from your trusted media by calling it via the
full path and save the output to the blank media (ie: /mnt/cdrom/w >>
/mnt/usbdrive/audit.txt ).  "w" will give you the system time and
current logged on users.  Use only the trusted binaries for all the
following steps.

4) Record all the file system timestamps:
ls -alRu / > /mnt/usbdrive/atime
ls -alRc / > /mnt/usbdrive/ctime
ls -alR / > /mnt/usbdrive/mtime

5) List open ports with associated apps:
netstat -anp

6) List running processes:
lsof
ps -aux

7) Copy logs.
Copy /var/log/syslog & /var/log/messages
Copy results of "last" and "lastlog"

8) Copy important configs: /etc/passwd, /etc/shadow, /etc/groups,
/etc/hosts, /etc/syslog.conf, /etc/rc, /etc/indetd.conf,
/etc/xinetd.conf, crontab -l

9) Look for sniffers by checking for the PROMISC flag on any active
interfaces.  If found, then other local machines are probably also at risk.
ifconfig eth0

10) Investigate any suspicious running processes.  Run ps -aux to get
the PID, then "cd /proc/PID#" for that PID and run "ls -al".  The main
listing of interest will be the "exe" link, which should point to the
binary used to start the process.  If it points to a "(deleted)" entry
then the binary was deleted after this processes was started.

11) Copy the current system ram (/proc/kcore or /proc/kmem).  This can
hold useful data for someone good with "strings".

12) It's also a good idea to run "date" before and after these steps so
that you have a timestamp record.

Once this is done, then turn it off, image the disk for further offline
analysis and re-install from good media.  If it's a sensitive system and
you'll be pursuing the attacker for legal prosecution then skip all this
and hire a forensic specialist that's familiar with "chain of custody"
and other such matters ASAP.

-Ken



More information about the LUG mailing list