Cleaning Compromised Systems - January 2004
hellodave926
5 views
56 slides
Jun 17, 2024
Slide 1 of 56
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
About This Presentation
PC system cleaning
Slide Content
1
Martin Radford
7
th
January 2004
Cleaning Compromised Systems
(and making sure they don’t get
compromised in the first place!)
Martin Radford
7
th
January 2004
Cleaning Compromised Systems
(and making sure they don’t get
compromised in the first place!)
2
Why people break into systems
•To score “points” (I’ve got control over
more servers than you have)
•To store illicit/illegal material.
•To use them to attack other systems (inside
and outside the University)
•To find “interesting” material legitimately
on the hacked system.
•To relay spam.
Why people break into systems
•To score “points” (I’ve got control over
more servers than you have)
•To store illicit/illegal material.
•To use them to attack other systems (inside
and outside the University)
•To find “interesting” material legitimately
on the hacked system.
•To relay spam.
3
Why University Systems
•Hackers like university-based computers
–Frequently decentralised environment
–Poorly-maintained/poorly-supported
–Untrained end-users “administer” (or don’t)
–“Academic freedom”
–Few “big sticks”
–Big pipes!
Why University Systems
•Hackers like university-based computers
–Frequently decentralised environment
–Poorly-maintained/poorly-supported
–Untrained end-users “administer” (or don’t)
–“Academic freedom”
–Few “big sticks”
–Big pipes!
4
How hackers break in
•Lax security
–Blank passwords
–Weak passwords
–Passwords derived from username
–Poor (or non-existent) account lockout policies
•Missing security updates
–Service packs
–Critical updates
How hackers break in
•Lax security
–Blank passwords
–Weak passwords
–Passwords derived from username
–Poor (or non-existent) account lockout policies
•Missing security updates
–Service packs
–Critical updates
5
How hackers break in (2)
•Malicious attachments
•Exploits for unpatched IE security bugs
•Users running with excessive rights
(e.g. being routinely logged on with
administrator rights)
How hackers break in (2)
•Malicious attachments
•Exploits for unpatched IE security bugs
•Users running with excessive rights
(e.g. being routinely logged on with
administrator rights)
6
Unsupported versions of Windows
•Win95 –support ended 31
st
Dec 2001
•Win98 –support ended 16
th
Jan 2004
•Win98se –support ended 16
th
Jan 2004
•WinME –support ends 31
st
Dec 2004
•These versions are not checked for vulnerability when security patches
are produced!
•Microsoft include the following statement in security bulletins: “The
software listed above has been tested to determine if the versions are
affected. Other versions are no longer supported and may or may not
be affected.”
Source: http://www.microsoft.com/windows/lifecycle/default.mspx
Unsupported versions of Windows
•Win95 –support ended 31
st
Dec 2001
•Win98 –support ended 16
th
Jan 2004
•Win98se –support ended 16
th
Jan 2004
•WinME –support ends 31
st
Dec 2004
•These versions are not checked for vulnerability when security patches
are produced!
•Microsoft include the following statement in security bulletins: “The
software listed above has been tested to determine if the versions are
affected. Other versions are no longer supported and may or may not
be affected.”
Source: http://www.microsoft.com/windows/lifecycle/default.mspx
7
Supported versions of Windows
•NT4W(sp6a) –support ends 30
th
June 2004*
•NT4S(sp6a) –support ends 31
st
Dec. 2005*
•Win2Kpro –support ends 31
st
March 2007
•Win2Ksrv –support ends 31
st
March 2007
•WinXPpro –support ends 31
st
Dec. 2008
*Current support is for security fixes only.
Source: http://www.microsoft.com/windows/lifecycle/default.mspx
Supported versions of Windows
•NT4W(sp6a) –support ends 30
th
June 2004*
•NT4S(sp6a) –support ends 31
st
Dec. 2005*
•Win2Kpro –support ends 31
st
March 2007
•Win2Ksrv –support ends 31
st
March 2007
•WinXPpro –support ends 31
st
Dec. 2008
*Current support is for security fixes only.
Source: http://www.microsoft.com/windows/lifecycle/default.mspx
8
Supported versions of IE
•Microsoft support only the following versions of
IE (as at 6 Jan 2004):
–IE6sp1 on Win98SE (until 16/1/04)
–No versions on NTW4sp6a.
–IE6sp1 on NTS4sp6a (until end 2004)
–No versions on WinME.
–IE6sp1 on Win2k (until end March 2007)
–IE5.01 on Win2kSP2/3/4
–IE6 and above on WinXP with current service packs
Source: http://www.microsoft.com/windows/lifecycle/default.mspx
Supported versions of IE
•Microsoft support only the following versions of
IE (as at 6 Jan 2004):
–IE6sp1 on Win98SE (until 16/1/04)
–No versions on NTW4sp6a.
–IE6sp1 on NTS4sp6a (until end 2004)
–No versions on WinME.
–IE6sp1 on Win2k (until end March 2007)
–IE5.01 on Win2kSP2/3/4
–IE6 and above on WinXP with current service packs
Source: http://www.microsoft.com/windows/lifecycle/default.mspx
9
Keeping Windows/IE patched
•Use Software Update Services for
Win2k/WinXP/Win2003.
–http://www.bris.ac.uk/is/services/computers/
operatingsystems/sus/
•Visit Windows Update for NT4W, NT4S,
Win98/ME/2000Pro/2000Srv/XP/2003.
–http://windowsupdate.microsoft.com/
–This is a manual method
–Microsoft’s normal schedule is to release updates on a monthly
basis, but may release additional patches if required.
–Subscribe to Microsoft’s security bulletin mailing list at
http://www.microsoft.com/security/security_bulletins/alerts2.asp
Keeping Windows/IE patched
•Use Software Update Services for
Win2k/WinXP/Win2003.
–http://www.bris.ac.uk/is/services/computers/
operatingsystems/sus/
•Visit Windows Update for NT4W, NT4S,
Win98/ME/2000Pro/2000Srv/XP/2003.
–http://windowsupdate.microsoft.com/
–This is a manual method
–Microsoft’s normal schedule is to release updates on a monthly
basis, but may release additional patches if required.
–Subscribe to Microsoft’s security bulletin mailing list at
http://www.microsoft.com/security/security_bulletins/alerts2.asp
10
Breaking in
•Brute force attacks on weak passwords (you
don’t need to logon to obtain a list of user
accounts)
–Attacker doesn’t necessarily need to find an
Administrator-level account; many attacks can
be launched with just user-level access.
–Can be protected against for all but the weakest
of passwords by configuring an account lockout
policy.
Breaking in
•Brute force attacks on weak passwords (you
don’t need to logon to obtain a list of user
accounts)
–Attacker doesn’t necessarily need to find an
Administrator-level account; many attacks can
be launched with just user-level access.
–Can be protected against for all but the weakest
of passwords by configuring an account lockout
policy.
11
On brute-forcing passwords
•Out of the box, NT/2000/XP does not set
account lockout policies or enable auditing
of logon failures.
•This makes it hard to prevent or identify
attempts to break into system via that route.
On brute-forcing passwords
•Out of the box, NT/2000/XP does not set
account lockout policies or enable auditing
of logon failures.
•This makes it hard to prevent or identify
attempts to break into system via that route.
12
On brute-forcing passwords (2)
On brute-forcing passwords (2)
13
On anti-virus software
•AV software will not protect against many
hacks.
•Tools used by hackers are frequently
legitimate tools also used by system
administrators.
•However, AV software will frequently
identify hacker tools that have no legitimate
use.
On anti-virus software
•AV software will not protect against many
hacks.
•Tools used by hackers are frequently
legitimate tools also used by system
administrators.
•However, AV software will frequently
identify hacker tools that have no legitimate
use.
14
Microsoft Baseline Security Analyzer
•http://www.microsoft.com/technet/securi
ty/tools/mbsahome.asp
•Scans one or more systems over the
network to identify security issues.
•You need administrator rights on the
system(s) you are scanning.
•Current version is 1.1.1.
Microsoft Baseline Security Analyzer
•http://www.microsoft.com/technet/securi
ty/tools/mbsahome.asp
•Scans one or more systems over the
network to identify security issues.
•You need administrator rights on the
system(s) you are scanning.
•Current version is 1.1.1.
15
Microsoft Baseline Security Analyzer (2)
Microsoft Baseline Security Analyzer (2)
16
Microsoft Baseline Security Analyzer (3)
Microsoft Baseline Security Analyzer (3)
17
University Firewall
•3.6 Firewall Service
•It will be remembered that when we discussed the introduction of new firewall
policies with the user population it was agreed to move from the current
default-allow policy to default-deny in the following stages:
•1. install new firewall equipment "in series" with the existing firewall controls
on the backbone routers;
•2. use the new firewalls to monitor the use being made of internet connectivity
so that users who would be affected by the introduction of a default-deny
policy could be identified;
•3. consult these users to make sure that their use was intentional
and necessary and if so add it to what would be permitted;
•4. activate default-deny on the new firewalls with those uses identified in
previous steps permitted.
•We are still intending to pursue this course of action.
(ISYS report to Computer Users’ Forum 4
th
Nov 2003,
http://www.bristol.ac.uk/WorkingGroups/Users/CUC/2003/ISYS041103.htm)
University Firewall
•3.6 Firewall Service
•It will be remembered that when we discussed the introduction of new firewall
policies with the user population it was agreed to move from the current
default-allow policy to default-deny in the following stages:
•1. install new firewall equipment "in series" with the existing firewall controls
on the backbone routers;
•2. use the new firewalls to monitor the use being made of internet connectivity
so that users who would be affected by the introduction of a default-deny
policy could be identified;
•3. consult these users to make sure that their use was intentional
and necessary and if so add it to what would be permitted;
•4. activate default-deny on the new firewalls with those uses identified in
previous steps permitted.
•We are still intending to pursue this course of action.
(ISYS report to Computer Users’ Forum 4
th
Nov 2003,
http://www.bristol.ac.uk/WorkingGroups/Users/CUC/2003/ISYS041103.htm)
18
University Firewall (2)
•Currently “default-allow”
–Allow everything except that which is known to
be dangerous.
•Intend to move to “default-deny”
–Block everything except that which is known to
be safe.
University Firewall (2)
•Currently “default-allow”
–Allow everything except that which is known to
be dangerous.
•Intend to move to “default-deny”
–Block everything except that which is known to
be safe.
19
University Firewall (3)
•Moving to default-deny on the firewall will
restrict the ability of outsiders to connect to
compromised systems inside the University.
•Most systems do not need to offer services to the
outside world and hence will not be affected by
default-deny.
•Where users need access to their own desktop
systems from outside, it is more secure to use the
Nomadic Network service than to open up a
system to general access from the whole Internet.
University Firewall (3)
•Moving to default-deny on the firewall will
restrict the ability of outsiders to connect to
compromised systems inside the University.
•Most systems do not need to offer services to the
outside world and hence will not be affected by
default-deny.
•Where users need access to their own desktop
systems from outside, it is more secure to use the
Nomadic Network service than to open up a
system to general access from the whole Internet.
20
Dameware Vulnerability
•A vulnerability in Dameware was published
on 16
th
December.
–“The vulnerability is caused due to a boundary error when handling
authentication traffic. This can be exploited by sending specially crafted
packets to the DameWare Mini Remote Control Server (default port
6129/tcp), which may cause a buffer overflow.
Successful exploitation allows execution of arbitrary code on a vulnerable
system.”
•An exploit was made available on 19
th
December….
Dameware Vulnerability
•A vulnerability in Dameware was published
on 16
th
December.
–“The vulnerability is caused due to a boundary error when handling
authentication traffic. This can be exploited by sending specially crafted
packets to the DameWare Mini Remote Control Server (default port
6129/tcp), which may cause a buffer overflow.
Successful exploitation allows execution of arbitrary code on a vulnerable
system.”
•An exploit was made available on 19
th
December….
21
Dameware Vulnerability (2)
Source: ©SANS Internet Storm Center http://isc.sans.org
Dameware Vulnerability (2)
Source: ©SANS Internet Storm Center http://isc.sans.org
22
Dameware Vulnerability (3)
•We are now seeing 10-12 scans of our address
space every day looking for systems listening on
port 6129 (as used by Dameware).
•Hackers are installing Dameware on compromised
systems so they can access them remotely. They
may well be installing versions vulnerable to this
exploit, thus opening the systems up to other
hackers exploiting the vulnerability!
Dameware Vulnerability (3)
•We are now seeing 10-12 scans of our address
space every day looking for systems listening on
port 6129 (as used by Dameware).
•Hackers are installing Dameware on compromised
systems so they can access them remotely. They
may well be installing versions vulnerable to this
exploit, thus opening the systems up to other
hackers exploiting the vulnerability!
23
Future risks
•“root kits” which subvert Windows in such a way
that they are not visible.
–e.g. –by installing a new service that hooks into the
service manager within the OS. The service intercepts
calls to the Windows systems calls
EnumServicesStatus() and
EnumServicesStatusEx() so that they don’t
report the presence of the service. (So you can’t see it’s
there.)
•These already exist! (e.g. HackerDefender
http://vil.nai.com/vil/content/v_100035.htm)
Future risks
•“root kits” which subvert Windows in such a way
that they are not visible.
–e.g. –by installing a new service that hooks into the
service manager within the OS. The service intercepts
calls to the Windows systems calls
EnumServicesStatus() and
EnumServicesStatusEx() so that they don’t
report the presence of the service. (So you can’t see it’s
there.)
•These already exist! (e.g. HackerDefender
http://vil.nai.com/vil/content/v_100035.htm)
24
What we normally find
•FTP servers (normally more than one)
(“pubstros” –public distribution points)
–Serv-u (http://www.serv-u.com/)
•Remote control software
–Radmin (http://www.radmin.com/)
–Dameware (http://www.dameware.com/)
–VNC (http://www.realvnc.com/)
What we normally find
•FTP servers (normally more than one)
(“pubstros” –public distribution points)
–Serv-u (http://www.serv-u.com/)
•Remote control software
–Radmin (http://www.radmin.com/)
–Dameware (http://www.dameware.com/)
–VNC (http://www.realvnc.com/)
25
Dealing with compromised systems
•Correct route is to back up all user data and
wipe and reinstall OS.
•Guaranteed to remove all compromises of
the operating system itself, including root
kits, etc.
•Be aware that data may already have been
altered and/or stolen.
Dealing with compromised systems
•Correct route is to back up all user data and
wipe and reinstall OS.
•Guaranteed to remove all compromises of
the operating system itself, including root
kits, etc.
•Be aware that data may already have been
altered and/or stolen.
26
Hacker Tricks
(or, making clean-up difficult)
•Remove remote access
–Disable administrative shares (C$, D$, IPC$)
–Remove “Access this computer from the
network” right
Hacker Tricks
(or, making clean-up difficult)
•Remove remote access
–Disable administrative shares (C$, D$, IPC$)
–Remove “Access this computer from the
network” right
27
Hacker Tricks (2)
•Hide folders
–Make folders “hidden/system”
–Hide under “\System Volume Information”
–Use “invalid” names:
•\winnt\system32\spool\help\aux\.tmp
–Use plausible names:
•termserv.exe
Hacker Tricks (2)
•Hide folders
–Make folders “hidden/system”
–Hide under “\System Volume Information”
–Use “invalid” names:
•\winnt\system32\spool\help\aux\.tmp
–Use plausible names:
•termserv.exe
28
How do I tell what might be suspicious? (0)
•Golden rule is to be familiar with what is
normal!
•It helps to compare with a “known clean”
system.
•Familiarise yourself with which services are
normally present so you can spot those you
haven’t seen before.
How do I tell what might be suspicious? (0)
•Golden rule is to be familiar with what is
normal!
•It helps to compare with a “known clean”
system.
•Familiarise yourself with which services are
normally present so you can spot those you
haven’t seen before.
29
How do I tell what might be suspicious? (1)
•Services that come with Windows normally
run from C:\WINNT\System32 (but not
from subdirectories of System32, or from
other subdirectories of \winnt).
•Programs that have been installed will
probably run from their directory in
"c:\Program Files"
•But these rules are not foolproof.
How do I tell what might be suspicious? (1)
•Services that come with Windows normally
run from C:\WINNT\System32 (but not
from subdirectories of System32, or from
other subdirectories of \winnt).
•Programs that have been installed will
probably run from their directory in
"c:\Program Files"
•But these rules are not foolproof.
30
How do I tell what might be suspicious? (2)
•Remember, hackers will frequently rename
executables so their name does not stand out.
•Some tools will be installed into \winnt\system32,
so they don't stand out.
•But we have also found programs in
\winnt\system32\config and \winnt\system32\ras
•If in doubt, compare with a known clean system.
How do I tell what might be suspicious? (2)
•Remember, hackers will frequently rename
executables so their name does not stand out.
•Some tools will be installed into \winnt\system32,
so they don't stand out.
•But we have also found programs in
\winnt\system32\config and \winnt\system32\ras
•If in doubt, compare with a known clean system.
31
How do I tell what might be suspicious? (3)
•Odd port numbers. As a rule, Windows
runs services on ports 135, 139, 445, and a
few on port numbers not far above 1024.
•Ports above 2000 should always be
considered suspicious. Many will follow a
pattern (e.g. 53335, 56665, 59995, 4444,
5445).
How do I tell what might be suspicious? (3)
•Odd port numbers. As a rule, Windows
runs services on ports 135, 139, 445, and a
few on port numbers not far above 1024.
•Ports above 2000 should always be
considered suspicious. Many will follow a
pattern (e.g. 53335, 56665, 59995, 4444,
5445).
32
How do I tell what might be suspicious? (4)
•Other suspicious ports we've seen:
–27, 222, 258, 312, 444, 666, 852, 1283, 2025,
2277, 4040, 4899, 5445, 5554, 6129, 7777,
8888, 9595, 9998, 12000, 19922, 65150.
How do I tell what might be suspicious? (4)
•Other suspicious ports we've seen:
–27, 222, 258, 312, 444, 666, 852, 1283, 2025,
2277, 4040, 4899, 5445, 5554, 6129, 7777,
8888, 9595, 9998, 12000, 19922, 65150.
33
How do I tell what might be suspicious? (5)
•Try connecting using telnet, using the
syntax:
telnet systemname port
•e.g.
telnet 137.222.123.45 444
•You may get no response (you can quit the
telnet session using ctrl-] q)
How do I tell what might be suspicious? (5)
•Try connecting using telnet, using the
syntax:
telnet systemname port
•e.g.
telnet 137.222.123.45 444
•You may get no response (you can quit the
telnet session using ctrl-] q)
34
How do I tell what might be suspicious? (6)
•Or you might get a service banner (for example,
FTP does this):
220-Ftp4all 1.9 linux to windows port ready
220-| W e L c O m E @ This Box
220-|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
220-|
220-| Local time is............: 15:26:20
220-| Uptime....................: 0 days,0 hours, 35 min. and 8 sec.
220-| Server Time............: 15:26:20
220-|
220-| Current Speed........: 0.000 KB/Sec
220-| Average Speed......: 0.000 KB/Sec
220-|
220-| Free Space............: 4638.30 Mb on current Drive (C)
220-| KB downloaded.....: 0 KB in 0 Files
220-| KB uploaded..........: 0 KB in 0 Files
220-| Users Connected...: 1
220-| Logins total............: 1 total
220-|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
How do I tell what might be suspicious? (6)
•Or you might get a service banner (for example,
FTP does this):
220-Ftp4all 1.9 linux to windows port ready
220-| W e L c O m E @ This Box
220-|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
220-|
220-| Local time is............: 15:26:20
220-| Uptime....................: 0 days,0 hours, 35 min. and 8 sec.
220-| Server Time............: 15:26:20
220-|
220-| Current Speed........: 0.000 KB/Sec
220-| Average Speed......: 0.000 KB/Sec
220-|
220-| Free Space............: 4638.30 Mb on current Drive (C)
220-| KB downloaded.....: 0 KB in 0 Files
220-| KB uploaded..........: 0 KB in 0 Files
220-| Users Connected...: 1
220-| Logins total............: 1 total
220-|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|
35
How do I tell what might be suspicious? (7)
220-
220-
220-|------------------------------------------------------------------
220-|--Infos... ------------------------------------------------------
220-|------------------------------------------------------------------
220-| Os : Windows NT 5.0.2195
220-| Os language : English (United Kingdom)
220-| Os Uptime : 1 Days 23 Hours 13 Minutes 35 Seconds
220-| CPU speed : 649.28 Mhz
220-| Ram : 196132 Mb Total / 70400 Mb Free (64 %)
220-| FREE SPACE : (C:\) [ 6.13 GB ] DISKSIZE : [ 7.86 GB ]
220-| TOTAL FREE : [ 6.13 GB ] TOTAL SPACE : [ 7.86 GB ]
220 |------------------------------------------------------------------
How do I tell what might be suspicious? (7)
220-
220-
220-|------------------------------------------------------------------
220-|--Infos... ------------------------------------------------------
220-|------------------------------------------------------------------
220-| Os : Windows NT 5.0.2195
220-| Os language : English (United Kingdom)
220-| Os Uptime : 1 Days 23 Hours 13 Minutes 35 Seconds
220-| CPU speed : 649.28 Mhz
220-| Ram : 196132 Mb Total / 70400 Mb Free (64 %)
220-| FREE SPACE : (C:\) [ 6.13 GB ] DISKSIZE : [ 7.86 GB ]
220-| TOTAL FREE : [ 6.13 GB ] TOTAL SPACE : [ 7.86 GB ]
220 |------------------------------------------------------------------
36
fport
•From Foundstone, Inc.
•http://www.foundstone.com/resources/ter
msofuse.htm?file=fport.zip
•Displays a list of network ports in use,
together with the process using them.
•Seems not to work on all systems.
fport
•From Foundstone, Inc.
•http://www.foundstone.com/resources/ter
msofuse.htm?file=fport.zip
•Displays a list of network ports in use,
together with the process using them.
•Seems not to work on all systems.
37
fport (2)
FPort v2.0 -TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid Process Port Proto Path
504 Identd -> 113 TCP C:\Program Files\Identd\Identd.exe
412 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 445 TCP
676 rundll -> 1010 TCP C:\WINNT\inf\rundll.exe
688 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
8 System -> 1026 TCP
564 Netddc -> 1027 TCP c:\system volume information \Netddc.exe
564 Netddc -> 1028 TCP c:\system volume information \Netddc.exe
. . .
564 Netddc -> 1042 TCP c:\system volume information \Netddc.exe
632 rundll -> 2025 TCP c:\system volume information \rundll.exe
888 naimas32 -> 8081 TCP C:\ePOAgent\naimas32.exe
748 stisvc -> 9595 TCP C:\Program Files\Windows NT\stisvc.exe
564 Netddc -> 43958 TCP c:\system volume information \Netddc.exe
564 Netddc -> 65150 TCP c:\system volume information \Netddc.exe
fport (2)
FPort v2.0 -TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid Process Port Proto Path
504 Identd -> 113 TCP C:\Program Files\Identd\Identd.exe
412 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 445 TCP
676 rundll -> 1010 TCP C:\WINNT\inf\rundll.exe
688 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
8 System -> 1026 TCP
564 Netddc -> 1027 TCP c:\system volume information \Netddc.exe
564 Netddc -> 1028 TCP c:\system volume information \Netddc.exe
. . .
564 Netddc -> 1042 TCP c:\system volume information \Netddc.exe
632 rundll -> 2025 TCP c:\system volume information \rundll.exe
888 naimas32 -> 8081 TCP C:\ePOAgent\naimas32.exe
748 stisvc -> 9595 TCP C:\Program Files\Windows NT\stisvc.exe
564 Netddc -> 43958 TCP c:\system volume information \Netddc.exe
564 Netddc -> 65150 TCP c:\system volume information \Netddc.exe
38
netstat
•Included with Windows
•Lists network connections
•Defaults to displaying existing connections
•-n flag: do not resolve IP/port numbers to names
•-a flag: show all ports, including those listening
for incoming connections
•Be aware that on a hacked system, system
executables may have been replaced (this is
particularly common on Unix systems).
netstat
•Included with Windows
•Lists network connections
•Defaults to displaying existing connections
•-n flag: do not resolve IP/port numbers to names
•-a flag: show all ports, including those listening
for incoming connections
•Be aware that on a hacked system, system
executables may have been replaced (this is
particularly common on Unix systems).
39
netstat (2)
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:113 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1010 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1031 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING
...
TCP 0.0.0.0:1041 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1042 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9595 0.0.0.0:0 LISTENING
TCP 0.0.0.0:65150 0.0.0.0:0 LISTENING
TCP 127.0.0.1:43958 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
netstat (2)
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:113 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1010 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1031 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING
...
TCP 0.0.0.0:1041 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1042 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9595 0.0.0.0:0 LISTENING
TCP 0.0.0.0:65150 0.0.0.0:0 LISTENING
TCP 127.0.0.1:43958 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
40
netstat (3)
TCP 137.222.14.166:1160 137.222.12.110:143 ESTABLISHED
TCP 137.222.14.166:1171 137.222.12.110:143 ESTABLISHED
TCP 137.222.14.166:1401 137.222.12.110:22 ESTABLISHED
TCP 137.222.14.166:1439 0.0.0.0:0 LISTENING
TCP 137.222.14.166:1439 137.222.136.39:139 ESTABLISHED
TCP 137.222.14.166:1482 0.0.0.0:0 LISTENING
TCP 137.222.14.166:1482 137.222.125.240:139 ESTABLISHED
TCP 137.222.14.166:1526 137.222.10.55:143 ESTABLISHED
TCP 137.222.14.166:1527 137.222.10.55:143 ESTABLISHED
TCP 137.222.14.166:1750 137.222.10.68:389 CLOSE_WAIT
TCP 137.222.14.166:1755 137.222.10.68:389 CLOSE_WAIT
•Established: a connection that is in use
•Listening: a port waiting for an incoming connection
•Close_wait: a connection in the process of closing
•Syn_sent: a connection in the process of being set up
•There are others, too.
netstat (3)
TCP 137.222.14.166:1160 137.222.12.110:143 ESTABLISHED
TCP 137.222.14.166:1171 137.222.12.110:143 ESTABLISHED
TCP 137.222.14.166:1401 137.222.12.110:22 ESTABLISHED
TCP 137.222.14.166:1439 0.0.0.0:0 LISTENING
TCP 137.222.14.166:1439 137.222.136.39:139 ESTABLISHED
TCP 137.222.14.166:1482 0.0.0.0:0 LISTENING
TCP 137.222.14.166:1482 137.222.125.240:139 ESTABLISHED
TCP 137.222.14.166:1526 137.222.10.55:143 ESTABLISHED
TCP 137.222.14.166:1527 137.222.10.55:143 ESTABLISHED
TCP 137.222.14.166:1750 137.222.10.68:389 CLOSE_WAIT
TCP 137.222.14.166:1755 137.222.10.68:389 CLOSE_WAIT
•Established: a connection that is in use
•Listening: a port waiting for an incoming connection
•Close_wait: a connection in the process of closing
•Syn_sent: a connection in the process of being set up
•There are others, too.
41
netstat (4)
•We are looking mainly for ports waiting for
incoming connections –i.e. those in state
“listening”. Easy way to find these is to
pipe the output of “netstat” to “find” –i.e.
netstat –an | find "LISTEN"
netstat (4)
•We are looking mainly for ports waiting for
incoming connections –i.e. those in state
“listening”. Easy way to find these is to
pipe the output of “netstat” to “find” –i.e.
netstat –an | find "LISTEN"
42
Finding services
•Once we've found the executables that are
listening for incoming connections, we need to
find where they are being started from.
•These are normally run as services so they start
when the system starts up.
•The best place to start looking is the registry,
under
HKLM\SYSTEM\CurrentControlSet\Services
•Tip: on NT/Win2k, use regedit.exe, not
regedt32.exe (regedit has a "find" option)
Finding services
•Once we've found the executables that are
listening for incoming connections, we need to
find where they are being started from.
•These are normally run as services so they start
when the system starts up.
•The best place to start looking is the registry,
under
HKLM\SYSTEM\CurrentControlSet\Services
•Tip: on NT/Win2k, use regedit.exe, not
regedt32.exe (regedit has a "find" option)
43
Finding services (2)
•In the example above, the obvious
suspicious executables are:
–C:\WINNT\inf\rundll.exe (port 1010)
–c:\system volume information\Netddc.exe
(many ports)
–C:\Program Files\Windows NT\stisvc.exe
(port 9595)
Finding services (2)
•In the example above, the obvious
suspicious executables are:
–C:\WINNT\inf\rundll.exe (port 1010)
–c:\system volume information\Netddc.exe
(many ports)
–C:\Program Files\Windows NT\stisvc.exe
(port 9595)
44
Finding services (3)
•Once you have a service name, navigate to
HKLM\SYSTEM\CurrentControlSet\Services
and use regedit’s “find” command to search
for the executable.
•Be careful of capitalisation (may be
important; use the name as shown in fport’s
output).
Finding services (3)
•Once you have a service name, navigate to
HKLM\SYSTEM\CurrentControlSet\Services
and use regedit’s “find” command to search
for the executable.
•Be careful of capitalisation (may be
important; use the name as shown in fport’s
output).
45
Finding services (4)
For example, if looking for rundll.exe:
Finding services (4)
For example, if looking for rundll.exe:
46
Finding services (5)
Note:
DisplayName shows up in the Services applet
Description shows up in the Services applet (but is
frequently not set by hackers)
ImagePath matches the output of fport.
Finding services (5)
Note:
DisplayName shows up in the Services applet
Description shows up in the Services applet (but is
frequently not set by hackers)
ImagePath matches the output of fport.
47
Finding services (6)
Finding services (6)
48
Finding services (7)
Finding services (7)
49
Finding services (8)
•Now you have the service, you can stop it.
•Stop the service
•Delete its executable (you can’t do this until
the service has stopped)
•Remove the registry entries.
Finding services (8)
•Now you have the service, you can stop it.
•Stop the service
•Delete its executable (you can’t do this until
the service has stopped)
•Remove the registry entries.
50
Examining files
•Once you find the service’s executables,
there’s a good chance its configuration files
will be in the same folder.
•In some cases, that folder may have other
legitimate files there too (for example,
sometimes we find stuff installed in
\winnt\system32).
Examining files
•Once you find the service’s executables,
there’s a good chance its configuration files
will be in the same folder.
•In some cases, that folder may have other
legitimate files there too (for example,
sometimes we find stuff installed in
\winnt\system32).
51
Examining files (2)
•Try searching the directory in order by date;
this will highlight files:
–With a modification time of around the same
time as the executable
–That were created at about the same time as the
system was hacked.
•Be aware that filenames are chosen to
mislead –we’ve found .dll and .ocx files
that are in fact plain text configuration files.
Examining files (2)
•Try searching the directory in order by date;
this will highlight files:
–With a modification time of around the same
time as the executable
–That were created at about the same time as the
system was hacked.
•Be aware that filenames are chosen to
mislead –we’ve found .dll and .ocx files
that are in fact plain text configuration files.
52
Examining files (3)
•If you’re lucky, you may find configuration files
for FTP servers. These may contain information
about where the “home” directory is. If you can
find this, you can examine and/or delete files
found there.
•Be aware that one FTP server may host multiple
“sites” on different port numbers. Also, note that
“admin” accounts on the server normally give full
access to the entire drive (and normally list all
drive letters, not just C:).
Examining files (3)
•If you’re lucky, you may find configuration files
for FTP servers. These may contain information
about where the “home” directory is. If you can
find this, you can examine and/or delete files
found there.
•Be aware that one FTP server may host multiple
“sites” on different port numbers. Also, note that
“admin” accounts on the server normally give full
access to the entire drive (and normally list all
drive letters, not just C:).
53
Examining files (4)
[DOMAINS]
Domain1=0.0.0.0||65150|Team zonder Naam|1|0
Domain2=0.0.0.0||1031|Team admin Backup|2|0
[GROUP=Boards|1]
Access1=c:\system volume information \homedir|RLP
[GROUP=TzN|1]
Access1=c:\system volume information \homedir|RWAMLCDP
[USER=proud.to.be|1]
Password=yq4FE42C35D028FE8FAD02EAFA1F2272B7
HomeDir=c:\system volume information \enter
[USER=tt|1]
Password=zkFEDBA3925D45284445C9BAA8CCD5967A
[USER=TzN|1]
Password=uu65E1EC5A4835644B8138543A57529DFF
[USER=hack|2]
Password=ccF67D4D4CAD88C5B073BCD9BDC9A58815
HomeDir=c:\
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=*|RWAMELCDP
Examining files (4)
[DOMAINS]
Domain1=0.0.0.0||65150|Team zonder Naam|1|0
Domain2=0.0.0.0||1031|Team admin Backup|2|0
[GROUP=Boards|1]
Access1=c:\system volume information \homedir|RLP
[GROUP=TzN|1]
Access1=c:\system volume information \homedir|RWAMLCDP
[USER=proud.to.be|1]
Password=yq4FE42C35D028FE8FAD02EAFA1F2272B7
HomeDir=c:\system volume information \enter
[USER=tt|1]
Password=zkFEDBA3925D45284445C9BAA8CCD5967A
[USER=TzN|1]
Password=uu65E1EC5A4835644B8138543A57529DFF
[USER=hack|2]
Password=ccF67D4D4CAD88C5B073BCD9BDC9A58815
HomeDir=c:\
AlwaysAllowLogin=1
TimeOut=600
Maintenance=System
Access1=*|RWAMELCDP
54
Examining files (5)
•You may need to enable viewing of
hidden/system files.
•\System Volume Information, by default is
set to SYSTEM: FullControl. To look in
there, you must add Administrators to its
access control list.
Examining files (5)
•You may need to enable viewing of
hidden/system files.
•\System Volume Information, by default is
set to SYSTEM: FullControl. To look in
there, you must add Administrators to its
access control list.
55
Radmin
•Radmin is frequently installed for remote
access. One noticable feature is that it
stores its configuration in
HKLM\SYSTEM\Radmin
•If you see this registry key (and if you know
you’re not using that tool yourself!) you can
delete it.
Radmin
•Radmin is frequently installed for remote
access. One noticable feature is that it
stores its configuration in
HKLM\SYSTEM\Radmin
•If you see this registry key (and if you know
you’re not using that tool yourself!) you can
delete it.
56
Resources
•JANET CERT (Computer Emergency Response
Team)
–http://www.ja.net/CERT/
–http://www.ja.net/CERT/JANET-CERT/incidents/Forensics.html
•Links to : Foundstone’s Primer on Windows forensics
•Boston University’sinternal investigation procedures
–http://www.ja.net/CERT/JANET-
CERT/incidents/Coping_with_Intrusions.html
•CERT.org
–http://www.cert.org/tech_tips/
•includes “Steps for Recovering from a UNIX
or NT System Compromise”
–http://www.cert.org/tech_tips/root_compromise.html
Resources
•JANET CERT (Computer Emergency Response
Team)
–http://www.ja.net/CERT/
–http://www.ja.net/CERT/JANET-CERT/incidents/Forensics.html
•Links to : Foundstone’s Primer on Windows forensics
•Boston University’sinternal investigation procedures
–http://www.ja.net/CERT/JANET-
CERT/incidents/Coping_with_Intrusions.html
•CERT.org
–http://www.cert.org/tech_tips/
•includes “Steps for Recovering from a UNIX
or NT System Compromise”
–http://www.cert.org/tech_tips/root_compromise.html
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 5
- Slides 56
- Age 537 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
33 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
36 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
33 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views