CHFI v8 Module 15 Log Capturing and Event Correlation

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9

CHFI Lab Manual

Log Capturing and


Event Correlation
Module 15
Module 15 – Log Capturing and Event Correlation

1
Lab

Forensics Challenge: Log Mysteries


Source: The forensic challenge was originally published as a part of The Honeynet
Project at http://honeynet.org/challenges. The challenge was provided by Raffael Marty
from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, and
Sebastien Tricaud from the French Chapter of the The Honeynet Project. The content
is reproduced with permission of the http://honeynet.org.

I C O N K E Y The Challenge
 Valuable Navigate to D:\Evidence Files\Forensics Challenges\HONEYNET
information
Challenges\Challenge 5 of the Forensic Challenge 2010 - Log Mysteries. Analyze
 Test your the sanitized_log.zip and answer the following questions:
knowledge
1. Was the system compromised and when? How do you know that for
 Web exercise sure?
 Workbook review 2. If the system was compromised, what was the method used?
3. Can you locate how many attackers failed? If some succeeded, how
many were they? How many stopped attacking after the first success?
4. What happened after the brute force attack?
5. Locate the authentication logs, was a brute-force attack performed? If
yes how many?
6. What is the timeline of significant events? How certain are you of the
timing?
7. Anything else that looks suspicious in the logs? Any misconfigurations?
Other issues?
8. Was an automatic tool used to perform the attack? If yes which one?
9. What can you say about the attacker's goals and methods?
10. What would you have done to avoid this attack?

CHFI Lab Manual Page 2 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation

Challenge Result
Note: The tools and methodologies used here, and results obtained are provided for
your reference. The actual results may vary according to your selection of tools and
methodologies.
1. Tools used: shell programming, awk, logwatch
The system was compromised several times, from several IP addresses.
Attacking IP address -- time of compromise
 IP address 61.168.227.12 made a brute force attack and
breaked into the system 1 time(s)

 IP address 122.226.202.12 made a brute force attack and


breaked into the system 2 time(s)

 IP address 219.150.161.20 made a brute force attack and


breaked into the system 4 time(s)

 IP address 222.66.204.246 made a brute force attack and


breaked into the system 1 time(s)

 IP address 222.169.224.197 made a brute force attack and


breaked into the system 1 time(s)

 IP address 121.11.66.70 made a brute force attack and breaked


into the system 2 time(s)

First, failed password logs do not just come from attackers. It is also
possible that an authorized user had forgotten his/her password or that
a user had forgotten the IP address of the secure shell server. To
distinguish between these and avoid generating too many false positives,
the following criteria have been taken into account:
a. If there are accepted logins before valid user failed password logs
for an IP address, it is less likely to be an attacker, so it will need at
least N failed password logins to be considered as hostile.
b. If there are failed password logs for a valid user before accepted
password logs, X failed password login attempts for a valid user,
and Y failed password for an invalid user are needed for an IP
address to be considered as an attacker.
c. If there are at least Z invalid failed passwords or B valid failed
password login attempts, an IP address is considered to be an
attacker; it does not matter if there are accepted password logs
before these logs. These values will be defined by every system
administrator, based on their specific needs. Hence, this numbers
should be modifiable to meet their requirements.
For this challenge use the following values:
 N=30, X=5, Y=3, Z=20, B=3
Methodology:

CHFI Lab Manual Page 3 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation

Develop a hash of hashes in perl to store data of every IP address


logged in auth.log file. Then use the criteria above to classify into
successful attacker, failed attacker and not attacker IP addresses, storing
the following data for every attacker IP address, number of successful
logins attempts, number of valid user and invalid user login attempts,
and time of successful logins.
With all the data stored, it is possible to answer all the questions of the
challenge.

2. The method was brute-force attack attempts on secure shell service on


root user.

3. There were total 33 attackers out of these 27 attackers failed and 6


attackers were successful.

The attackers who failed are the following:


8.12.45.242, 124.207.117.9, 211.154.254.248, 217.15.55.133,
65.208.122.48, 58.17.30.49, 116.6.19.70, 210.68.70.170,
24.192.113.91, 124.51.108.68, 173.9.147.165, 209.59.222.166,
125.235.4.130, 201.64.234.2, 114.80.166.219, 203.81.226.86,
59.46.39.148, 122.102.64.54, 219.139.243.236, 200.72.254.54,
220.170.79.247, 61.151.246.140, 190.4.21.190, 218.56.61.114,
89.46.213.128, 122.165.9.200, 24.94.90.96

Attackers who succeeded:


 IP address 61.168.227.12 made a brute force attack and
breaked into the system 1 time(s)
 IP address 122.226.202.12 made a brute force attack and
breaked into the system 2 time(s)
 IP address 219.150.161.20 made a brute force attack and
breaked into the system 4 time(s)
 IP address 222.66.204.246 made a brute force attack and
breaked into the system 1 time(s)
 IP address 222.169.224.197 made a brute force attack and
breaked into the system 1 time(s)
 IP address 121.11.66.70 made a brute force attack and breaked
into the system 2 time(s)

Command used: perl sshAnalysis.pl auth.log | grep


 IP address 61.168.227.12 made a brute force attack and breaked into
the system 1 time(s)
accepted 1
acceptedDate1 Apr 24 15:28:37
endAttack Apr 24 15:40:00
failedInvalid 20
failedValid 193
firstFailed 1

CHFI Lab Manual Page 4 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation

startAttack Apr 24 15:26:00


user1 root

 IP address 122.226.202.12 made a brute force attack and breaked


into the system 2 time(s)
accepted 2
acceptedDate1 Apr 23 03:11:03
acceptedDate2 Apr 23 03:20:41
endAttack Apr 23 03:42:03
failedInvalid 185
failedValid 328
firstFailed 1
startAttack Apr 23 03:06:17
user1 root
user2 root

 IP address 219.150.161.20 made a brute force attack and breaked


into the system 4 time(s)
accepted 4
acceptedDate1 Apr 19 05:41:44
acceptedDate2 Apr 19 05:42:27
acceptedDate3 Apr 19 05:55:20
acceptedDate4 Apr 19 05:56:05
endAttack Apr 19 08:58:54
failedInvalid 7574
failedValid 1685
firstFailed 1
startAttack Apr 19 05:38:01
user1 root
user2 root
user3 root
user4 root

 IP address 222.66.204.246 made a brute force attack and breaked


into the system 1 time(s)
accepted 1
acceptedDate1 Apr 19 10:45:36
endAttack Apr 19 11:24:39
failedInvalid 1063
failedValid 510
firstFailed 1
startAttack Apr 19 10:41:41
user1root

 IP address 222.169.224.197 made a brute force attack and breaked


into the system 1 time(s)
accepted 1

CHFI Lab Manual Page 5 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation

acceptedDate1 Apr 22 11:02:15


endAttack Apr 22 11:21:34
failedInvalid 457
failedValid 189
firstFailed 1
startAttack Apr 22 11:01:29
user1 root

 IP address 121.11.66.70 made a brute force attack and breaked into


the system 2 time(s)
accepted --> 2
acceptedDate1 --> Apr 20 06:13:03
acceptedDate2 --> Apr 24 11:36:19
endAttack --> Apr 24 11:41:59
failedInvalid --> 6
failedValid --> 1429
firstFailed --> 1
startAttack --> Apr 20 05:48:07
user1 --> root
user2 --> root

4. Many programs were replaced and exim mail server was installed.
Exim was reconfigured after the system was compromised. This
information can be found in the apt log:
/var/lib/python-support/python2.5/yum/__init__.py:1129: Warning: 'with' will
become a reserved keyword in Python 2.6
/var/lib/python-support/python2.5/yum/depsolve.py:73: Warning: 'with' will
become a reserved keyword in Python 2.6
/var/lib/python-support/python2.5/yum/repos.py:236: Warning: 'with' will
become a reserved keyword in Python 2.6
/var/lib/python-support/python2.5/yum/repos.py:260: Warning: 'with' will
become a reserved keyword in Python 2.6
/var/lib/python-support/python2.5/yum/repos.py:263: Warning: 'with' will
become a reserved keyword in Python 2.6
/usr/share/yum-cli/cli.py:614: Warning: 'with' will become a reserved keyword
in Python 2.6
/usr/share/yum-cli/cli.py:615: Warning: 'with' will become a reserved keyword
in Python 2.6
/usr/share/yum-cli/cli.py:616: Warning: 'with' will become a reserved keyword
in Python 2.6
Unpacking replacement libkrb53 ...
Preparing to replace exim4-config 4.69-2 (using .../exim4-config_4.69-
2ubuntu0.1_all.deb) ...
Unpacking replacement exim4-config ...
Preparing to replace exim4-base 4.69-2 (using .../exim4-base_4.69-
2ubuntu0.1_amd64.deb) ...
Unpacking replacement exim4-base ...
Preparing to replace exim4-daemon-light 4.69-2 (using .../exim4-daemon-
light_4.69-2ubuntu0.1_amd64.deb) ...
* Stopping MTA #[125G

CHFI Lab Manual Page 6 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation

#[119G[ OK ]
Unpacking replacement exim4-daemon-light ...
Preparing to replace exim4 4.69-2 (using .../exim4_4.69-2ubuntu0.1_all.deb)
...
Unpacking replacement exim4 ...
Preparing to replace fuse-utils 2.7.2-1ubuntu2 (using .../fuse-utils_2.7.2-
1ubuntu2.1_amd64.deb) ...
Unpacking replacement fuse-utils ...
Preparing to replace libfuse2 2.7.2-1ubuntu2 (using .../libfuse2_2.7.2-
1ubuntu2.1_amd64.deb) ...
Unpacking replacement libfuse2 ...
Preparing to replace libpq5 8.3.9-0ubuntu8.04 (using .../libpq5_8.3.10-
0ubuntu8.04_amd64.deb) ...
Unpacking replacement libpq5 ...
Preparing to replace sudo 1.6.9p10-1ubuntu3.5 (using .../sudo_1.6.9p10-
1ubuntu3.7_amd64.deb) ...
Unpacking replacement sudo ...
Setting up libkrb53 (1.6.dfsg.3~beta1-2ubuntu1.4) ...
Setting up exim4-config (4.69-2ubuntu0.1) ...
Setting up exim4-base (4.69-2ubuntu0.1) ...
Installing new version of config file /etc/init.d/exim4 ...
Setting up exim4-daemon-light (4.69-2ubuntu0.1) ...
* Starting MTA #[125G
#[119G[ OK ]
Setting up exim4 (4.69-2ubuntu0.1) ...
Setting up libfuse2 (2.7.2-1ubuntu2.1) ...
Setting up fuse-utils (2.7.2-1ubuntu2.1) ...
creating fuse group...
update-initramfs: deferring update (trigger activated)
Setting up libpq5 (8.3.10-0ubuntu8.04) ...
Setting up sudo (1.6.9p10-1ubuntu3.7) ...

5. Authentication logs is auth.log


Yes, there were several brute-force attacks performed.
There were 11 successful attacks from 6 different IP addresses. (Listed
on the answer for question 3)
There were 27 unsuccessful attacks.

6. The timeline of significant events can be viewed in the afterglow graph.


It shows the timeline and IP addresses for each of the 6 successful
logins. Afterglow was used for this because it shows in a very clear way
how many successful attacks there were for every attacker, their time
and date, and the user name attacked.

121.11.66.70
Apr 20 06:13:03
Apr 24 11:36:19

222.66.204.246

CHFI Lab Manual Page 7 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation

Apr 19 10:45:36
Apr 19 10:45:36

219.150.161.20
Apr 19 05:41:44
Apr 19 05:42:27
Apr 19 05:55:20
Apr 19 05:56:05

222.169.224.197
Apr 22 11:02:15

61.168.227.12
Apr 24 15:28:37

122.226.202.12
Apr 23 03:11:03
Apr 23 03:20:41

7. Tools used: EventTracker


Below are some of the issues:
a. Root access is not disabled
b. If you see 123.4.59.174—[19/Apr/2010:08:26:30-0700 ―GET
http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1‖ 404 1466 ―_‖
―Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)‖
IdqydQoAAQAAEP5EvsAAAAF 2358754 log, the IP address
123.4.59.174 has to be blocked because they are trying to access
some web data but they are getting 404 error code.
c. There is nothing to worry about +??? root:nobody because those are
by cron jobs
d. Observing this log Apr 20 12:26:08 app-1 sshd[30892]: reverse
mapping checking getaddrinfo for
167.87.166.190.f.sta.codetel.net.do [190.166.87.164] failed –
POSSIBLE BREAK-IN ATTEMPT!, it looks like
167.87.166.190.f.sta.codetel.net.do [190.166.87.164] is a valid
system, to fix this add this entry into host files. Similarly there are
similar errors, add all those which are valid in host file so the log
analysis becomes easy and we can find out potential system threats
easily.

8. Yes, because there are too many logs in a very short time, it is obvious
that an automatic tool was used. Maybe a tool like hydra could have
been used. A proxy scanner called pxyscand (V2.1) was used.

CHFI Lab Manual Page 8 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation

9. Attacker used brute force attack to log into a remote system using root
password, to get administrator privileges and be able to install programs
in the remote server.
The attacker's goal was to use the system as an IRC bouncer and
possibly an attack platform. This is concluded by the following:
The attacker downloaded and installed psybnc-linux and eggdrop as
well as nmap on the system.
The attacker's method was sloppy and careless. He/she generated large
amounts of traces of his/hers presence on the system in the log files.
He/she did not care to delete them. He/she tried to change firewall
rules without knowing how to do so. A good attacker would have done
this in a virtual environment before trying it in a compromised system.
Experimenting in a compromised system when it can be done elsewhere
is sloppy.

10. To avoid this attack:


a. Hide system’s running services such as SSH behind the firewall
b. Use strong password or public-key authentication
c. Configure SSH server to use non-standard port
d. Restrict access to SSH server
e. Utilize intrusion detection or intrusion prevention
f. Disable root access
g. Use iptables to block the attack
h. Install a host IPS such as fail2ban or any other tool that would
analyze logs for auth.log file
i. Change secure shell port

Lab Analysis
Analyze and document the results related to the lab exercise.

PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS


RELATED TO THIS LAB.

Internet Connection Required


 Yes  No
Platform Supported
 Classroom  iLabs

CHFI Lab Manual Page 9 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

You might also like