E-Crime - Stilliano's - Case Study Example

Case study: E-Crime: Stilliano’s Case The first look at the case shows that there is attempted entry into the system. This could be a hackers attempt to gain entry into the system using root privileges. The assumption is gotten from the vague inference into the odd entry below; netstat stream tcp nowait root /usr/lib/netstat netstat This is possible through various means though it was necessary to determine the exact cause of the actions. In trying to find out what would have been happening in the system, it is advisable to first look into role of the inetd function. The inetd function, also referred to as the super server listens to various ports that are used for the internet such as POP3. The inetd concept when used as a service dispatcher is vulnerable to some insecurity concerns which seem to have been inhibited in the case mentioned here. The /etc/inetd.conf is the default file for configuration of the super server daemon. This file is basically used for the description of all the TCP/IP daemons that are supported as well as the non standard services. There is no need for a modification of this file unless one needs to remove some definitions for the daemons or add them. This brings up the assumption that odd entries in this file system might have been a cause for alarm. The netstat command is useful in the determination of the packets that have been sent and received in a particular system. On detection of intrusion into a system, there are several ways in which the threats can be averted Avoid initiation of logins such as scp and initiate all traffic frfrom the personal laptop Identify data that is critical from the LDAP database Reinstall the compromised systems with fresh copies of linux Lessons One should never be complacent. Linux is vulnerable to security intrusions and to avoid this, one needs to invest a lot of time in it One does not necessarily have to be a target that is worth a lot of interest to be attacked but the server can be used in launcjhhi9ng other attacks to various other parts Always be conversant with the release notes for the particular vendor Always keep updating the wares. Patching and updating servers especially those that are publicly used is of great essence Always be aware of what services are in use and be in tally with the open ports and especially the useful open ports. One should never accept the default services without p[roper knowledge of the meaning of the default values to the firewall It is necessary that one hires a security administrator in a company that has versatile data. This is mainly due to the important nature of data security in an organization. One should consider doing personal tests of the bugtraqs to keep updated information of the security details. Ione should also minimise access to the office servers, production servers, desktops, laptops and honey nets. In ensuring that security is kept standard, some of the actions that should be puit in place are: Ingress filtering as well as egress filtering Installation of a minimal amount of package. Having some present features like gcc, perl and make work as incentives to intruders Reduce the access rights such as pop, smtp and samba Implement measures like LIDS, grsecurity for restriction of roots to the users In prevention of such actions, some of the counter measures are having secure software like GrSecurity, Tripware, LIDS TCPdump. Netcat, Nmap OpenSSH, Isof, lslk Stunnel Ethreal, Etherape, ntop, dsniff, TCT When the machines was compromised An intruder or a hacker do not get root level access to the machine, rather they break into. This means that they hardly install root kits. Thus, it the response team has a variety of tools already available in the machine so as to see what happened. It is easy to determine the time a user logged in and then match them with the actual users log in times. Also last gives the IP address where the user logged in from. This will give the indications of the legitimacy of the login. Then listing of the files and directories is of great importance especially when one knows the time/date of the compromise mostly found by running Is- Lart /. When this is done, one gets a list of files and directories, and determines the folders added and/ or removed files from the system. This where the netstat comes in which will list the current listening sockets on the machine. When it is run, it gives any backdoors that are listening. In this case Stilianos checked using - netstat stream tcp nowait root /usr/lib/netstat netstat - and found out that they were not coming from any of their computers, moreover, after checking the processor utilization it was showing a 100% utilization which meant that, there were some operations in the systems which could not be traced. According to Sep 18 02:42:54 victim rpc.statd[349]: gethostbyname error for ^X[buffer overrun shell code removed] which showed a deleted syslogfile entry, which therefore depicts that Stalions Machine which was working under linux platform was compromised on 18th semptember. Moreover, the presence of an extra inetd means that, there were operations in the networks. This is due to the fact that inetd are daemons that manage other daemons. From the analysis, the machine was hit by the use of rpc.statd overflow. Steve then used mactime program which can give a detailed information about what happened to the files in the computers. From the report which Steve got from the program, it was clear that there are number of files which shows that the attacker logged in through talnet and began his operations. This is clear through; Sep 20 00 15:46:05 31376 .a. -rwxr-xr-x root root /mount/usr/sbin/in.telnetd Sep 20 00 15:46:39 20452 ..c -rwxr-xr-x root root /mount/bin/login If further shows that, /dev/ttypq/ directory was created on the filesystem exactly an hour later. This was followed by suspicious files which appeared to be modified on the system. This included ipv6.0 and rc.local and rpc.status files which Steve suspected where as a result of a compromise. This was clear in the following reports; Sep 20 00 16:49:26 446592 m.. -rwxr-xr-x root root /mount/dev/ttypq/.../ex Sep 20 00 16:49:45 1491 mac -rw-r--r-- root root /mount/dev/ttypq/.../doop Sep 20 00 16:49:46 84688 m.c -rw-r--r-- root root /mount/dev/ttypq/.../c4wnf 446592 ..c -rwxr-xr-x root root /mount/dev/ttypq/.../ex 4096 m.c drwxr-xr-x root root /mount/lib/modules/2.2.16-3/net 7704 ..c -rw-r--r-- root root /mount/lib/modules/2.2.16-3/net/ipv6.o There were ipv6.0 module’s visible strings that were closely linked to network sockets (32411/tcp, 3457/tcp) which were earlier suspected. There are several user account names, which were said to be in a promiscuous mode which means that the Ethernet interface was authenticated a passage of all traffic which was seen in the network. In other words, it did not only allow those authorized but all and therefore allowing a compromise. This was clear in this report; mandragoras# strings ipv6.o . . . check_logfilter kernel_version=2.2.16-3 my_atoi :32411 my_find_task :3457 is_invisible :6667 is_secret :6664 iget :6663 iput :6662 hide_process :6661 hide_file :irc __mark_inode_dirty :6660 unhide_file :6668 n_getdents nobody o_getdents telnet n_fork operator o_fork Proxy n_clone proxy o_clone undernet.org n_kill Undernet.org o_kill netstat n_ioctl syslogd dev_get klogd boot_cpu_data promiscuous mode __verify_write . . . o_ioctl adore.c n_write gcc2_compiled. o_write __module_kernel_version n_setuid we_did_promisc cleanup_module netfilter_table o_setuid check_netfilter init_module strstr __this_module logfilter_table sys_call_table an investigation of the rc.local file, showed a change of inode. Moreover, the raed had 6.2 sytem showed that there was an addition of command script /usr/sbin/initd. mandragoras# cat /usr/sbin/initd #!/bin/sh # # automatic install script to load kernel modules for ipv6 support. # do not edit the file directly. /sbin/insmod -f /lib/modules/2.2.16-3/net/ipv6.o >/dev/null 2>/dev/ null /usr/sbin/rpc.status Read More