19.4 Detailed Case Example


19.4 Detailed Case Example[12]

One Friday morning, a system administrator at Corporation X in New York noticed an unusual process named monitor on an important database server and found a hidden directory ("/usr/share/man/...") containing monitor and what appeared to be an associated sniffer log. One of Corporation X's digital evidence examiners responded, following standard operating procedures to confirm that the host had been compromised and to gather related evidence. A quick analysis of the digital evidence from the system revealed the point of origin, method of initiation, and intent. The intruder had broken in through a recently publicized vulnerability in the Oracle database software running on the server. The intruder had fixed the vulnerability to prevent others from exploiting it, installed a rootkit with a backdoor for regaining entry to the system, and started a sniffer to monitor network traffic. There was no evidence on the system that revealed the source of the attack or the intruder's IP address. Furthermore, Corporation X's firewall, intrusion detection system, and NetFlow logs did not appear to contain any entries that were obviously related to the intrusion.

The examiner informed Corporation X's management and attorneys of the developing situation and obtained approval to proceed. He then discovered several other compromised servers using an automated scanning tool configured to detect the intruder's backdoor. He did not have administrative access to many of these systems and it would have taken several days to gain physical access to some of them. Because there was an imminent danger that the intruder would return to delete the sniffer logs from these systems, the organization authorized the examiner to connect to the systems through the intruder's backdoor and collected digital evidence remotely as discussed in Chapter 15. Connecting through the intruder's backdoor had the added advantage of concealing the fact that the examiner was connected to the system, reducing the risk of alerting the intruder to his presence:

    examiner1% script host32-062202-case14524    Script started on Sat Jun 22 13:58:15 2002    examiner1% ssh -l backdoor_account host32.corpX.com    Last login: Thu Jun 20 07:15:55 on pts/2    # w      1:58pm up 83 day(s), 8:56, 0 users, load average: 0.02, 0.02, 0.07    User  tty  login@  idle  JCPU  PCPU  what    # ps -ef          UID    PID  PPID   C   STIME    TTY  TIME     CMD         root      0     0   0   Apr 01   ?     0:00    sched         root      1     0   0   Apr 01   ?     1:28    /etc/init -         root      2     0   0   Apr 01   ?     0:06    pageout         root      3     0   0   Apr 01   ?   175:52    fsflush         root    349   346   0   Apr 01   ?     0:01    /usr/lib/saf/listen tcp         root    201     1   0   Apr 01   ?     3:09    /usr/sbin/cron         root    346     1   0   Apr 01   ?     0:01    /usr/lib/saf/sac -t 300    <cut for brevity>     nobody       320      1   0  Apr 01  ?   0:04   /oracle/bin/oraweb -C /or     oracle     22493      1   0  May 25  ?   7:59   ora_smon_finance1     oracle     22487      1   0  May 25  ?   0:05   ora_pmon_finance1     oracle     22491      1   0  May 25  ?  18:49   ora_lgwr_finance1     oracle     22489      1   0  May 25  ?  55:09   ora_dbwr_finance1     oracle     22495      1   0  May 25  ?   0:02   ora_reco_finance1     oracle     14401      1   0  May 10  ?   8:36   ora_smon_finance2     oracle     14399      1   0  May 10  ?   3:14   ora_lgwr_finance2     oracle     14397      1   0  May 10  ?   7:02   ora_dbwr_finance2     oracle     14395      1   0  May 10  ?   0:02   ora_pmon_finance2    <cut for brevity>        root    15718      1   0  Jun 17  ?  30:09   ./solsniffer -s        root    23656  23652   1  13:58:34 pts/1 0:00 ps -ef    # cd /usr/share/man/...    # ls -altc    total 4950    -rw-rw-r--    1  root    root   911381    Jun 22  13:57  log    drwxrwxrwt    4  sys     sys      1024    Jun 22  04:00      drwxrwxr-x    2  root    root      512    Jun 17  17:07  .    -rwx--x--x    1  root    root    19996    Jun 17  17:07  solsniffer    # md5 log    md5: Command not found.    # cat log    <sniffer log cut for brevity>    # scp log examiner@examiner1.corpX.com:/e1/case14524/host32-log-062202    # mail examiner@corpX.com < log 

Anticipating that the intruder would return, the examiner monitored network traffic to the compromised hosts using Argus. That evening, the intruder was observed gaining unauthorized access to one of the compromised hosts from another system on the network:

    examiner1% ra -r argus.out host 192.168.0.101    22 Jun 02 23:26:56 tcp 192.168.0.5.2444 -> 192.168.0.101.ssh EST    22 Jun 02 23:28:05 tcp 192.168.0.5.2444 -> 192.168.0.101.ssh EST    22 Jun 02 23:29:26 tcp 192.168.0.5.2444 -> 192.168.0.101.ssh FIN 

The examiner connected to the compromised host (192.168.0.101) through the intruder's backdoor, gathered digital evidence from memory, shut the system down, and collected the hardware as evidence. In this way, the intruder's presence on the compromised host was documented and the original hardware was preserved for later analysis.

The examiner determined that the intruder was using a stolen account on an internal system (192.168.0.5) to launch attacks against other hosts on the network. The firewall, intrusion detection system, and the router that generated NetFlow logs were not between the launch pad and the target hosts. This explained how the intruder had been able to target the vulnerable ports on the compromised systems even though they were protected by a firewall. This also explained why the intrusion detection systems and NetFlow logs did not contain any useful data. Incidentally, as a result of the lessons learned from this incident, Corporation X installed permanent Argus probes on all of their important network segments to ensure that these logs were available in the future.

The intruder had stored tools in a hidden directory of this stolen account but had not been able to erase system log files. The examiner collected the log files and contents of the stolen account as evidence. Logon records from the stolen account contained the IP address of a computer on a business partner's network - Business Z in San Francisco:

    host5% last stolen_account    stolen_account pts/3 172.16.12.15 Sat Jun 22 23:24 still logged in    stolen_account pts/22 172.16.12.15 Thu Jun 20 07:13 - 07:37 (00:24)    stolen account pts/5 172.16.12.15 Mon Jun 17 16:51 - 17:38 (00:47)    wtmp begins Sun Jun 16 19:10:54 2002 

The examiner called his counterpart in Business Z on her mobile phone to inform her of the problem. She quickly determined the Windows NT system in question (172.16.12.15) was running a Trojan horse program (Back Orifice 2000) and did not contain any logs containing the intruder's IP address. Also, Business Z's intrusion detection system logs did not contain any alerts relating to the compromised Windows NT system, probably because connections between the Back Orifice client and server were encrypted. However, Business Z's NetFlow logs did show incoming connections to the compromised Windows NT system and subsequent outgoing connections to the machine on Corporation X's network:

    flow% flow-cat /netflow/2002-06-22/ft-v05.2002-06-22.203000 | flow-filter -    Dbo2k -f ./bo2k-062202.acl | flow-print -f5    Start        End         SrcIPaddress   SrcP  DstIPaddress  DstP   Octets    0622.20:20   0622.20:49  10.145.32.24   2584  172.16.12.15  443    2412085    flow% flow-cat /netflow/2002-06-22/ft-v05.2002-06-22.203000 | flow-filter -    Sbo2k -f ./bo2k-062202.acl | flow-print -f5    Start        End         SrcIPaddress   SrcP  DstIPaddress  DstP   Octets    0622.20:20   0622.20:50  172.16.12.15   443   10.145.32.24  2584   3660674    0622.20:23   0622.20:43  172.16.12.15   1927  192.168.0.5   22     3457683 

The two examiners corrected the time zone difference between New York and San Francisco and confirmed that these connections corresponded to the logon records from the stolen account. They immediately contacted the ISP that the intruder was using and asked them to preserve evidence on their systems relating to the intrusions.

The organizations then reported the incident to the FBI and provided them with enough information to obtain subscriber details from the ISP used by the intruder. The FBI determined that the dial-up account used by the intruder had been stolen. Fortunately, the ISP had Automatic Number Identification (ANI) records that contained the intruder's home telephone number:

To: FBI

From: ISP

Date: 06/30/02

Re: Case #14524

The following is the information you requested in the Subpoena of the United States District Court in the District of New York, dated 06/25/02, which I have enclosed. The information is correct to the best of my knowledge and I will keep records of my investigation until you tell me otherwise.

You requested the information pertaining to the following connections:

Username:

janedoe

IP address assigned:

10.145.32.24

Time of connection:

23:22:38 (EST5EDT) Jun 22, 2002

Time of disconnect:

23:54:12 (EST5EDT) Jun 22, 2002

ANI information:

(510) 555-2356

Username:

janedoe

IP address assigned:

10.145.32.17

Time of connection:

07:12:54 (EST5EDT) Jun 20, 2002

Time of disconnect:

07:40:06 (EST5EDT) Jun 20, 2002

ANI information:

(510) 555-2356

Username:

janedoe

IP address assigned:

10.145.32.105

Time of connection:

16:32:17 (EST5EDT) Jun 17, 2002

Time of disconnect:

18:53:32 (EST5EDT) Jun 17, 2002

ANI information:

(510) 555-2356

After performing a background check and further investigation to satisfying themselves that the resident of the house was responsible for the connections, the FBI obtained a search warrant and seized the suspect's computers. An examination of these computers revealed many links with Corporation X's compromised servers, including sensitive data captured in sniffer logs. Faced with overwhelming evidence, the suspect admitted his involvement and provided the FBI with a list of his accomplices.

[12]This case example is based on abstracted lessons from various investigations. Any resemblance to actual incidents is coincidental.




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net