* 1 *

Analysis of a successful intrusion

The purpose of this week's exercise is is to learn how a real intrusion may occure

Obligatory problems

You may log on to the ssh-server studssh.cs.hioa.no or any other Linux host to do these assignments. Later you will be handed a network of virtual machines.

For more than 10 years ago we got the following email from uninett.no, who are responsible for the networks conecting universities and colleges in Norway (translated from Norwegian):

Subject: Infected computers?
Date: Fri, 29 Sep 2006 19:20:34 +0200 (CEST)
From: dscan@uninett.no
To: cert@uninett.no

This message is automaticly generated by a script at maal.uninett.no.

The following hosts are performing host-scanning as detected by
flow-tool on central netflow log computers in UNINETT.

Time:    	IP-adresse:    	Type scan:    Org:
0929.19:06:05   128.39.73.131   tcp 22 scan   hio.no

The computer is probably infected, and we recommend to investigate the case.
We discovered that the host (which was one of the Linux hosts with a public IP handed out to a student of this course) had indeed been hacked. Since it is a VM, it was rebuilt from scratch, but first the bash_history file and some hacker tools were copied. Take a look at the bash_history file and the file scripts.tar.gz containing the hacker tools and try to find out what has happend. NB! Because "Google detected 1 malicious software URLs", these files must be password-protected, you may find the credentials in the archive in Fronter.

Do under no circumstances use any of these hackertools. Do NOT repeat the commands in the bash_history file

We have not analysed this thouroughly, so it is great if you do so. At least you should try to answer the following questions based on the given files.

  1. How do you think 128.39.73.131 was compromised?
  2. What kind of scanning was the reported host-scanning and how was the victims chosen?
  3. What is the content of the files vuln.txt and data.conf and how are these files related?
  4. How could this attack have been avoided?
  5. Would a firewall protect against this attack?
  6. What takes place in the bash_history file?
  7. What is an Undernet Channel and how is this related to this type of attack?
  8. Is the attack fully automated (a worm) or is the hacker doing the commands from commandline?

    We don't know the answer to the last question and hope you can find out!

    auth.log

    The file auth.log logs ssh login attempts. This auth.log file is taken from a Linux desktop at HiOA. Download and study it.
  9. Discuss how the contents of this file is related to the attack investigated above based on the scripts.tar.gz file. Does it seem like these kind of attacks are not common anymore?
  10. What is the first and the last timestamps of this logfile? Does that many login attempts seem normal for such a period of time?
  11. What do you think is the source of all the failed login attempts?

    Using Linux one-line commands (or bash-scripts if you prefer), find the following from the auth.log file:

  12. The number of failed login attempts. Note that there can be more than one line per attempt and avoid the lines announcing that the attempt has been repeated.
  13. The number of failed attempts for an invalid user.
  14. The number of failed attempts, excluding those for an invalid user.
  15. A sorted list of unique IP's which are the source of failed attempts, excluding those for an invalid user. (hint: cut, sort and uniq are handy for obtaining this)
  16. A sorted list of unique IP's which are the source of failed attempts for an invalid user.
  17. The number of IP's which are the source of failed attempts, excluding those for an invalid user.
  18. The number of IP's which are the source of failed attempts for an invalid user.

  19. How many of the IP's responsible for the attempts for valid user are common with those for an invalid user?
  20. How can such a list of IP's be used for protection?

Extra challange (not mandatory)

Investigating scripts.tar.gz, write a bash scripts which checks if every combination of username and password in vuln.txt really is found in data.conf.

Write a short report answering the questions in a text file. Answer all the questions and submit them using fronter(log on at http://www.hioa.no/fronter and choose engelsk(english) as language), using the folder "Assignment 1". Any format is accepted, preferably PDF or ascii-text. If you submit using a editable format, like ascii, odt or doc, you may receive comments within the text from the teachers. Submit the complete assignment in a single document.