CHFI v8 Module 15 Log Capturing and Event Correlation
CHFI v8 Module 15 Log Capturing and Event Correlation
CHFI v8 Module 15 Log Capturing and Event Correlation
1
Lab
I C O N K E Y The Challenge
Valuable Navigate to D:\Evidence Files\Forensics Challenges\HONEYNET
information
Challenges\Challenge 5 of the Forensic Challenge 2010 - Log Mysteries. Analyze
Test your the sanitized_log.zip and answer the following questions:
knowledge
1. Was the system compromised and when? How do you know that for
Web exercise sure?
Workbook review 2. If the system was compromised, what was the method used?
3. Can you locate how many attackers failed? If some succeeded, how
many were they? How many stopped attacking after the first success?
4. What happened after the brute force attack?
5. Locate the authentication logs, was a brute-force attack performed? If
yes how many?
6. What is the timeline of significant events? How certain are you of the
timing?
7. Anything else that looks suspicious in the logs? Any misconfigurations?
Other issues?
8. Was an automatic tool used to perform the attack? If yes which one?
9. What can you say about the attacker's goals and methods?
10. What would you have done to avoid this attack?
CHFI Lab Manual Page 2 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation
Challenge Result
Note: The tools and methodologies used here, and results obtained are provided for
your reference. The actual results may vary according to your selection of tools and
methodologies.
1. Tools used: shell programming, awk, logwatch
The system was compromised several times, from several IP addresses.
Attacking IP address -- time of compromise
IP address 61.168.227.12 made a brute force attack and
breaked into the system 1 time(s)
First, failed password logs do not just come from attackers. It is also
possible that an authorized user had forgotten his/her password or that
a user had forgotten the IP address of the secure shell server. To
distinguish between these and avoid generating too many false positives,
the following criteria have been taken into account:
a. If there are accepted logins before valid user failed password logs
for an IP address, it is less likely to be an attacker, so it will need at
least N failed password logins to be considered as hostile.
b. If there are failed password logs for a valid user before accepted
password logs, X failed password login attempts for a valid user,
and Y failed password for an invalid user are needed for an IP
address to be considered as an attacker.
c. If there are at least Z invalid failed passwords or B valid failed
password login attempts, an IP address is considered to be an
attacker; it does not matter if there are accepted password logs
before these logs. These values will be defined by every system
administrator, based on their specific needs. Hence, this numbers
should be modifiable to meet their requirements.
For this challenge use the following values:
N=30, X=5, Y=3, Z=20, B=3
Methodology:
CHFI Lab Manual Page 3 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation
CHFI Lab Manual Page 4 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation
CHFI Lab Manual Page 5 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation
4. Many programs were replaced and exim mail server was installed.
Exim was reconfigured after the system was compromised. This
information can be found in the apt log:
/var/lib/python-support/python2.5/yum/__init__.py:1129: Warning: 'with' will
become a reserved keyword in Python 2.6
/var/lib/python-support/python2.5/yum/depsolve.py:73: Warning: 'with' will
become a reserved keyword in Python 2.6
/var/lib/python-support/python2.5/yum/repos.py:236: Warning: 'with' will
become a reserved keyword in Python 2.6
/var/lib/python-support/python2.5/yum/repos.py:260: Warning: 'with' will
become a reserved keyword in Python 2.6
/var/lib/python-support/python2.5/yum/repos.py:263: Warning: 'with' will
become a reserved keyword in Python 2.6
/usr/share/yum-cli/cli.py:614: Warning: 'with' will become a reserved keyword
in Python 2.6
/usr/share/yum-cli/cli.py:615: Warning: 'with' will become a reserved keyword
in Python 2.6
/usr/share/yum-cli/cli.py:616: Warning: 'with' will become a reserved keyword
in Python 2.6
Unpacking replacement libkrb53 ...
Preparing to replace exim4-config 4.69-2 (using .../exim4-config_4.69-
2ubuntu0.1_all.deb) ...
Unpacking replacement exim4-config ...
Preparing to replace exim4-base 4.69-2 (using .../exim4-base_4.69-
2ubuntu0.1_amd64.deb) ...
Unpacking replacement exim4-base ...
Preparing to replace exim4-daemon-light 4.69-2 (using .../exim4-daemon-
light_4.69-2ubuntu0.1_amd64.deb) ...
* Stopping MTA #[125G
CHFI Lab Manual Page 6 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation
#[119G[ OK ]
Unpacking replacement exim4-daemon-light ...
Preparing to replace exim4 4.69-2 (using .../exim4_4.69-2ubuntu0.1_all.deb)
...
Unpacking replacement exim4 ...
Preparing to replace fuse-utils 2.7.2-1ubuntu2 (using .../fuse-utils_2.7.2-
1ubuntu2.1_amd64.deb) ...
Unpacking replacement fuse-utils ...
Preparing to replace libfuse2 2.7.2-1ubuntu2 (using .../libfuse2_2.7.2-
1ubuntu2.1_amd64.deb) ...
Unpacking replacement libfuse2 ...
Preparing to replace libpq5 8.3.9-0ubuntu8.04 (using .../libpq5_8.3.10-
0ubuntu8.04_amd64.deb) ...
Unpacking replacement libpq5 ...
Preparing to replace sudo 1.6.9p10-1ubuntu3.5 (using .../sudo_1.6.9p10-
1ubuntu3.7_amd64.deb) ...
Unpacking replacement sudo ...
Setting up libkrb53 (1.6.dfsg.3~beta1-2ubuntu1.4) ...
Setting up exim4-config (4.69-2ubuntu0.1) ...
Setting up exim4-base (4.69-2ubuntu0.1) ...
Installing new version of config file /etc/init.d/exim4 ...
Setting up exim4-daemon-light (4.69-2ubuntu0.1) ...
* Starting MTA #[125G
#[119G[ OK ]
Setting up exim4 (4.69-2ubuntu0.1) ...
Setting up libfuse2 (2.7.2-1ubuntu2.1) ...
Setting up fuse-utils (2.7.2-1ubuntu2.1) ...
creating fuse group...
update-initramfs: deferring update (trigger activated)
Setting up libpq5 (8.3.10-0ubuntu8.04) ...
Setting up sudo (1.6.9p10-1ubuntu3.7) ...
121.11.66.70
Apr 20 06:13:03
Apr 24 11:36:19
222.66.204.246
CHFI Lab Manual Page 7 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation
Apr 19 10:45:36
Apr 19 10:45:36
219.150.161.20
Apr 19 05:41:44
Apr 19 05:42:27
Apr 19 05:55:20
Apr 19 05:56:05
222.169.224.197
Apr 22 11:02:15
61.168.227.12
Apr 24 15:28:37
122.226.202.12
Apr 23 03:11:03
Apr 23 03:20:41
8. Yes, because there are too many logs in a very short time, it is obvious
that an automatic tool was used. Maybe a tool like hydra could have
been used. A proxy scanner called pxyscand (V2.1) was used.
CHFI Lab Manual Page 8 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 15 – Log Capturing and Event Correlation
9. Attacker used brute force attack to log into a remote system using root
password, to get administrator privileges and be able to install programs
in the remote server.
The attacker's goal was to use the system as an IRC bouncer and
possibly an attack platform. This is concluded by the following:
The attacker downloaded and installed psybnc-linux and eggdrop as
well as nmap on the system.
The attacker's method was sloppy and careless. He/she generated large
amounts of traces of his/hers presence on the system in the log files.
He/she did not care to delete them. He/she tried to change firewall
rules without knowing how to do so. A good attacker would have done
this in a virtual environment before trying it in a compromised system.
Experimenting in a compromised system when it can be done elsewhere
is sloppy.
Lab Analysis
Analyze and document the results related to the lab exercise.
CHFI Lab Manual Page 9 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.