LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-04-2012, 08:23 PM   #16
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86

Quote:
Originally Posted by Linux_Kidd View Post
exactly what i said, i need to go check if IDS can alert on SS #'s.

and i'll say it again, a good C2 doesnt put files on the system. do you have forensics training or background ??
You didn't say good, you said odd. Still, a good/stealthy C2 wouldn't even use IRC. An good attacker who cares about stealth also wouldn't be launching SSH dictionary attacks from the victim to any computer it can find on the Internet. Those IoCs are way more obvious than putting files on a box. There is nothing odd/unusual about either of those; they're very common. But I would agree it would be odd if the attacker went through great lengths to remain hidden, yet was using something obvious like IRC as a C2...

Yes, I have a degree in InfoSec, and have gone through SANS GCIA, GREM, and GCFA (not the new revamped course yet ). I do intrusion analysis, but mostly involving Windows victims.
 
Old 11-04-2012, 09:57 PM   #17
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 539

Original Poster
Rep: Reputation: 51
fair enough.

i've been doing hands-on InfoSec for last ~15yrs, been an active CISSP for 10yrs (and have numerous other certs), and have taken x-country flights to see local LE serve search warrant and seize all the computer gear in a building so that I could image stuff and analyze it. you may have your view of things, i have mine. thanks for your feedback.

LK

Last edited by Linux_Kidd; 11-04-2012 at 09:59 PM.
 
Old 11-06-2012, 07:38 PM   #18
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 539

Original Poster
Rep: Reputation: 51
hey unSpawn, do you go by unspawn on ubuntuforums.org ?
 
Old 11-06-2012, 08:53 PM   #19
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
I do. BTW feel free to PM or email me that kind of question OK? I mean it doesn't really add to the thread IMHO...
 
Old 11-07-2012, 01:26 AM   #20
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 539

Original Poster
Rep: Reputation: 51
Quote:
Originally Posted by unSpawn View Post
I do. BTW feel free to PM or email me that kind of question OK? I mean it doesn't really add to the thread IMHO...
ah, i see you posted over there about the infection i see now (found it via a gool search, etc), but you posted back in 2010 in response to another user asking about the same infection i see. check there on feb 11 2010, its about "ZeuL's Connect Back Backdoor" perl script.

Last edited by Linux_Kidd; 11-07-2012 at 09:17 AM.
 
Old 11-07-2012, 07:46 AM   #21
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
OK. Found the thread. (Seems I've been there longer than I thought I'd been.) I don't know if you regard this thread as casual banter (please don't) or some sort of web log (go here) or if you have problems formulating questions because I still don't have a clue what I can help you with. The Perl script is just collateral, the thread showed the infection vector for that case and as always users blame software instead of their own lack of admin skills, proper hardening, regular auditing etc, etc. In contrast your victim machine, asserting it actually is subject to industry regulations, should show the necessary audit trail details to confirm its usage (if any), right?
 
Old 11-09-2012, 09:06 PM   #22
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 539

Original Poster
Rep: Reputation: 51
so, this script named "a" on my infected system is used to do SSH scanning, but what is the odd echo in bold? i am guessing that echo's stuff back to another process, one that may be a IRC connection ??

Code:
[root@xyz .fresh]# more a

#!/bin/bash

if [ $# != 1 ]; then

        echo " usage: $0 <b class>"

        exit;

fi

 

rm -rf scan.log mfu.txt 1>/dev/null 2>/dev/null

echo -e "                \033[1;33m\033[1;32m   FRESH \033[1;33m\033[0m"

././pscan2 $1 22

 

sleep 10

mv scan.log bios.txt

oopsnr2=`grep -c . bios.txt`

echo -e "**  \033[1;33m          ... incepem ...     \033[0m   **"

export PATH=.:$PATH

hald

rm -rf scan.log mfu.txt 1>/dev/null 2>/dev/null

echo "##        asta a fost, baga clasa urmatoare         ##"
 
Old 11-09-2012, 09:19 PM   #23
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
Just color coding. What forensics field / niche did you specialize in for the past years if I may ask? The text is Romanian BTW.
 
Old 11-10-2012, 10:42 AM   #24
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 539

Original Poster
Rep: Reputation: 51
i know what the text is (thanks to gool), but it translates to English oddly, so i would need interpreter for meaning.

i dont specialize in forensics, i am trained in forensics, imaging, CoC, Encase, sleuthkit, bt5, etc etc. forensics is just one of my hats. i deal with many OS'. i specialize in keeping bad guys out.

thanks btw for the color, i forgot about that.

Last edited by Linux_Kidd; 11-10-2012 at 10:47 AM.
 
Old 11-10-2012, 12:05 PM   #25
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
Quote:
Originally Posted by Linux_Kidd View Post
i am guessing that echo's stuff back to another process
No, just stdout.
 
Old 11-10-2012, 02:04 PM   #26
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 539

Original Poster
Rep: Reputation: 51
hmmmm, i wonder though if this script was being C2'd through a shovel via IRC connection? attacker had ssh access and was seen connected for about 13hrs during one of the sessions. the infection kit looks automated so i am not 100% confident that there was a body behind the ssh sessions. i myself am not skilled enough to decode the hex of ELF.
 
Old 11-10-2012, 05:12 PM   #27
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
Are you the only person analyzing this server?
Is there a time line of events?
Was correlation done with adjacent servers?
Are there any binaries, scripts, etc, etc found?
Do foreign objects, log excerpts, shell history, etc, etc, actually support your assumption of a C&C?

I'm asking because if you don't want to share cold hard facts that's fine but this thread can not continue to exist on unsubstantial "tweets" alone.
 
Old 11-10-2012, 11:25 PM   #28
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 539

Original Poster
Rep: Reputation: 51
1. there were many hands on this box before i got to it.
2. yes, i have a detailed timeline of events gathered from numerous logs and filesystem info, from firewall changes which open ssh to the public, to a uid being compromised from ssh dictionary attack, to the uid history of the attacker. attacker used "history -c" so not too much is there.
3. adjacent servers were under same ingress ssh dictionary attack (as seen by IDs logs) my system was the only one compromised.
4. binaries and scripts were indeed found (klogd ELF, hald ELF, pscan2 ELF, and scripts "start", "a", etc etc). all were created inside of /tmp/.ICE-unix dir.
5. yes, IRC channels existed (as seen in IDS logs), and the historical data i find on some of the script coding indicates a IRC back connect for either monitoring the infection, or for C2. the IRC used went to Undernet (one of a few Undernet servers listed in the script files).

there's a piece i am still trying to figure out. there was a UDP port-0 egress flood going on during the outage. the dst IP was in LACNIC so its not clear to me if the LACNIC IP was a target of UDP flood, or if my customer was the target because the flood took down the firewalls. initial incident response folks found a PID and PPID via lsof that were causing the UDP flood and then killed them. the cwd of these PID's were in the /tmp/.ICE-unix dir where the infection was.

i cant post too much data at this time, its a active case and legal on several fronts are involved.

Last edited by Linux_Kidd; 11-10-2012 at 11:29 PM.
 
Old 11-11-2012, 09:51 AM   #29
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,718
Blog Entries: 54

Rep: Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967Reputation: 2967
Quote:
Originally Posted by Linux_Kidd View Post
(..) from numerous logs and filesystem info (..)
Was the audit service running? If it was, did it have syscall logging rules?


Quote:
Originally Posted by Linux_Kidd View Post
(..)from firewall changes which open ssh to the public, to a uid being compromised from ssh dictionary attack (..)
Auch. No enforced pubkey-only auth policy then. Did the brute force attack start on all machines at roughly the same time?


Quote:
Originally Posted by Linux_Kidd View Post
(..)binaries and scripts were indeed found (klogd ELF, hald ELF, pscan2 ELF, and scripts "start", "a", etc etc).(..)
Hiding in plain sight is quite common. Often you'll find back doors mimicking a HTTPD process. So if the klogd and hald binaries are referenced in the scripts then they'll likely be an IRC daemon, IRC client, standard shell or something else you would want to have running continuously with an innocuous-sounding name. If they aren't referenced then that would be interesting.


Quote:
Originally Posted by Linux_Kidd View Post
5. yes, IRC channels existed (as seen in IDS logs), and the historical data i find on some of the script coding indicates a IRC back connect for either monitoring the infection, or for C2. the IRC used went to Undernet (..)
If, until evidence proves otherwise of course, you would start with the working hypothesis that this is just a common break-'n-enter then unless it's mailed or posted in the channel you would expect the crew to require some way in to be able to siphon any (p)scan(2) data off the machine.


Quote:
Originally Posted by Linux_Kidd View Post
there's a piece i am still trying to figure out. there was a UDP port-0 egress flood going on during the outage. the dst IP was in LACNIC so its not clear to me if the LACNIC IP was a target of UDP flood, or if my customer was the target because the flood took down the firewalls. initial incident response folks found a PID and PPID via lsof that were causing the UDP flood and then killed them. the cwd of these PID's were in the /tmp/.ICE-unix dir where the infection was.
FWIW an UDP flooder running out of /tmp/.ICE-unix and being attacked on the same port at the same time isn't a mutually exclusive condition. After all the 'net is rife rivaling crews so hostilities between them would be no news.


Quote:
Originally Posted by Linux_Kidd View Post
i cant post too much data at this time, its a active case and legal on several fronts are involved.
I understand that and it's no problem as long as you feed us some Good Stuff.
 
Old 11-11-2012, 10:59 AM   #30
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 539

Original Poster
Rep: Reputation: 51
1. yes, audit is running, and i did see syscall entries in its logs but did not yet examine those in detail
2. i am not sure if the start of scanning of all the systems happened on same date/time, but IDS logs shows ingress ssh dictionary attacks to all the fw rules that allow ssh from the public.
3. yes, references to hald in script and hald was still running days after the infection files were quarantined. hald had a bunch of ssh established opened but they all looked idle and/or defunct as a tcpdump showed no traffic.
4. the UDP flood was the initial complaint, and from what i can see there was only a single IP that gained access to the compromised account via ssh. i do believe the flood is related to this single IP and not different groups.
5. i can post more during the week.

thanks
LK
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help with sed and awk to change L-case letters to U-case for specific lines in a file rootaccess Linux - General 12 05-21-2012 03:50 PM
Copying files from case-sensitive Linux to case-insensitive Windows via CIFS? SlowCoder Linux - General 4 05-07-2008 08:03 PM
Stand-by machine in case real machine crashes jlinkels Linux - General 1 05-19-2005 09:28 AM
Why are all my upper case files being shown as lower case?? [Kernel 2.6.9-1.667 FC3] t3gah Fedora 4 03-11-2005 05:09 PM


All times are GMT -5. The time now is 08:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration