|
|
|
|
|
Contains an archive of Web vandalism attacks http://www.attrition.org/mirror/attrition |
|
|
|
|
|
Attackers like to remove evidence from logs
associated with attacker’s gaining access, elevating privileges,and
installing RootKits and backdoors |
|
Login records |
|
Stopped and restarted services |
|
File access/update times |
|
|
|
|
|
|
Security-related events such as failed login
attempts or failed access to files are stored in file SecEvent.Evt |
|
System events such as inability in starting a
system service are stored in file SysEvent.Evt |
|
Application events related to applications such
as databases or web servers are stored in file AppEvent.Evt |
|
|
|
|
|
|
opening or editing event log files cannot be
done with a standard file editing tool |
|
Deleting event log files possible but may cause
suspicion |
|
WinZapper tool allows attacker to selectively
delete security events |
|
http://ntsecurity.nu/toolbox/winzapper |
|
|
|
|
|
|
|
|
|
|
Unix log files are stored in files specified in
/etc/syslog.conf (eg. /var/adm/messages) |
|
Attackers can alter log files via editors such
as vi or emacs |
|
|
|
|
|
|
|
|
utmp, wtmp, and lastlog files are the main
accounting files in Unix |
|
Written in special binary format |
|
Can be edited using tools such as remove,
wtmped, marry, cloak, logwedit, wzap, and zapper |
|
http://ftp.technotronic.com/unix/log-tools |
|
Tools included in RootKits |
|
|
|
|
stores a complete list of all commands entered
by the user at the Unix command prompt |
|
Usually stored in users’ home directories |
|
Attacker may configure the length of the shell
history file to be zero but may raise suspicion |
|
Careful attacker will remove unwanted lines from
the history file via ASCII editor |
|
|
|
|
|
|
Activate logging on your critical systems |
|
Set proper permissions on the log files, utmp,
wtmp, lastlog, and users’ shell history files |
|
Setup a a separate logging server |
|
Add line “syslog 514/udp” to /etc/services on logging server |
|
Modify /etc/syslog.conf on critical server to redirect desired message types to
logging server |
|
Hostname and IP address of logging server should
be added to /etc/hosts on critical
server to thwart DNS attack |
|
In Windows NT/2000, replace EventLog service
with an NT-compatible version of syslog to centralize logging |
|
Kiwi syslog for NT http://www.kiwi-enterprises.com |
|
|
|
|
|
Encrypt log files http://www.core-sdi.com/english/freesoft.html |
|
On Linux systems, make log files append only |
|
$
chattr +a [log_filename] |
|
Store logs on write-once media such as CD-ROM |
|
|
|
|
|
|
|
|
Right-click on file or directory in Windows
Explorer and selecting “properties” |
|
|
|
|
On WinNT’s Windows Explorer, click on “view”
menu to show all files |
|
in Win2000’s Windows Explorer, click on folder
options |
|
|
|
|
|
|
|
NTFS allows every file to have multiple streams
of data associated with it |
|
The normal contents of a file that can be seen
and accessed by users is a stream itself |
|
Other
data can be attached and hidden as separate stream using “cp”
program in Windows NT Resource Kit |
|
C:\>
cp stuff.txt notepad.exe:data |
|
C:\>
erase stuff.txt |
|
C:\>
notepad.exe |
|
C:\>
cp notepad.exe:data
stuff.txt |
|
|
|
|
|
|
Use file integrity checking tools such as
Tripwire to check contents of files and directories to verify that no
additional data, files or directories have been hidden in them |
|
Use host-based IDS tools and anti-virus tools to
check for presence of hidden file and generate alert message |
|
|
|
|
Communication channels that disguises data while
it moves across the network to avoid detection |
|
Require a client and server |
|
Can be used to remotely control a machine and to
secretly transfer files or applications |
|
|
|
|
|
|
|
|
|
|
Perform a buffer overflow on victim and install
a backdoor |
|
Email an unsuspecting user an executable which
installs a covert channel server |
|
Install covert channel as a contractor or
employee with administrative privilege |
|
|
|
|
|
|
|
Carrying one protocol inside another protocol |
|
Eg. Tunneling AppleTalk traffic over IP |
|
Any communications protocol can be used to transmit another protocol |
|
SSH protocol used to carry telnet, FTP, or
X-Windows session |
|
Used by covert channels |
|
Loki |
|
Reverse WWW Shell |
|
|
|
|
Covert channel using ICMP as a tunnel to carry
interactive communication with a backdoor listener |
|
More stealthy and difficult to detect than other
backdoor programs that listen on a given TCP/UDP port |
|
Description and source code available at http://phrack.com |
|
Loki client wraps up attacker’s commands in ICMP
and transmits them to the Loki server (lokid) |
|
Loki server upwraps the commands, executes them
and wraps the responses up in ICMP packets |
|
Lokid must be run with root privilege |
|
|
|
|
|
|
|
|
|
|
can only be detected via the presence of Loki
daemon process running as root on
the victim and the presence of bidirectional ICMP traffic |
|
Can disguise its packets as DNS queries and
responses by running over UDP port 53 |
|
Supports protocol-switching by typing “/swapt”
on client to toggle between ICMP
and UDP port 53 |
|
Supports encryption of ICMP payload information |
|
|
|
|
Uses HHTP as a covert channel |
|
Allows an attacker to remotely access a victim
machine with a command-line prompt |
|
A Reverse WWW Shell server and Perl interpreter
must be installed on the victim machine |
|
A Reverse WWW Shell master software and Perl
interpreter must be installed on the attacker’s machine |
|
Can sneak past firewall |
|
Perl code available at http://thc.pimmel.com |
|
|
|
|
Every minute, Reverse WWW Shell server will
contact the master to retrieve commands issued by the attacker |
|
Reverse WWW Shell server executes the
commands, sends the results to
Reverse WWW Shell master (via http request), and retrieves the next command
(via http reply) |
|
Victim machine appears to be a web client
sending HHTP Get commands while attacker’s machine appears to be a web
server |
|
|
|
|
|
|
ICMP |
|
HTTP |
|
Telnet |
|
SMTP |
|
FTP |
|
Streaming audio |
|
SSH |
|
|
|
|
|
|
http://www.psionic.com/papers/covert |
|
Uses TCP and IP headers to create covert
channels |
|
Data can be hidden in various fields |
|
IP Identification field |
|
One character embedded per packet |
|
TCP sequence number |
|
One character embedded per SYN request and Reset
packets |
|
TCP acknowledgement number |
|
One hidden character per packet is relayed by
a “bounce” server |
|
Can send data over any TCP source/destination
ports |
|
Can bypass firewall if use ports such as 25 or
53 |
|
|
|
|
|
|
|
|
|
Don’t let attacker get root or administrator
access on hosts |
|
Harden OS |
|
Install latest security patches |
|
Install network IDS |
|
Loki and other covert channels can be detected
by Snort |
|
Notes
