CIS 450 – Network Security

Chapter 16 – Covering the Tracks

Hacker’s Perspective http://www.thc.org/papers/COVER-1.TXT

Backdoor – a way for an attacker to get back into a network or system without being detected. Attacker wants to maintain his access by hiding the fact that he was ever there.

Four areas that an attacker is concerned with when covering their tracks: Log files – audit trails that list who gained access, and for

how long (and possibly what they did and what files they accessed)

File Information – since attackers normally have to modify key system files information for these files (date and file size) tend to change

Additional Files – attacker usually loads additional files to the system which could take a large amount of space

Network traffic – if IDS is utilized attacker has to search and eliminate the IDS records or mask his traffic to appear to be normal network traffic

Log Files

Provide a listing of exactly what is done on the system and by whom

Logging has to be turned and checked Attacker can delete the entire log file but this will set off a red

flag to the administrator Attacker can edit the log files and delete the entries to what the

attacker did

Linux Log Files

/etc/syslog.conf – main configuration file for the syslogd daemon that controls logging on

/var/run/utmp Tracks who is currently logged into the system Entry is added when user logs in and removed when

user logs out Binary file that can not be accessed directly but by

common programs than come with OS: who; users; and finger

Linux Log Files

/var/log/wtmp Tracks all users who have logged in and have logged out of

system. Can be created manually if not created by login. Entry is added when user logs in and updated when user

logs out The file can grow rapidly on busy systems, so daily or

weekly rotation is recommended Binary file that can be accessed by the programs last and ac

/var/log/btmp Records bad log on attempts Can be created manually if not created by login Should combine the results with those from wtmp to see if

an attacker gained access after a failed attempt Binary file that can be accessed by the lastb program

Linux Log Files

/var/log/messages Syslog is a utility for tracking and logging all manner of

system messages from the merely informational to the extremely critical and can be configured to put most of the messages the file /var/log/messages

File is ASCII text and be looked at with the more, cat, and grep commands

/var/log/secure Used to log any attempts to log in as root and attempts

to use the su command. This file also contains information on attempts to connect from remote systems and failed attempts to log in as root.

File is ASCII text and be looked at with the more, cat, and grep commands

Programs Available to Clean Up Log Files

Available from:

http://www.packetstormsecurity.org/unix-exploits/log-tools/

http://www.dsinet.org/tools/logutils/

Protecting UNIX Log Files Set proper permissions on log files – read and write access should be limited to

root Use a separate server

Store your log files on a separate server Use Honey Pots

Honey pots are one of the newest methods used in intrusion detection. The idea behind a honey pot is to setup a "decoy" system that has a non-

hardened operating system or one that appears to have several vulnerabilities for easy access to its resources.

The decoy system should be set up in a similar manner to those of the production servers in the corporation and should be loaded with numerous fake files, directories, and other information that may look real.

By making the honey pot appear to be a legitimate machine with legitimate files, it leads the hacker to believe that they have gained access to important information

Make regular backups of the log files – backup to several places across the network and some on removable media

Use write once media Encrypt the log files Review the log files on a regular basis

System 2000 Logging

http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/03w2kadb.mspx

File Information

When attacker puts in backdoor he has to modify some key system files

If file came with the base OS then it should not be modified in the course of using the system – check modified date

Some rootkits have utilities built in to modify file information

Protection Against Create cryptographic hash on file - tripwire

Additional Files

Attacker uploads tool to victim’s site so he has access to them when needed

Attacker tries to hide the fact that additional files have been added by: Set the hidden attribute for a file Rename the files Create hidden partitions or shares Modify the free space utility

Additional Files

Use steganography tools The art and science of hiding information by

embedding messages within other, seemingly harmless messages. Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text, HTML, or even floppy disks ) with bits of different, invisible information. This hidden information can be plain text, cipher text, or even images.

http://www.stegoarchive.com/ THC Steganographic Challenge

Additional Files

Protection Against – Know what’s on your system

Run software such as Tripwire

Covering Tracks on the Network

Attacker will either try to hide their traffic or make it look like other traffic on the network

Loki http://www.phrack.org/show.php?p=49&a=6 http://windowsecurity.com/pages/article_p.asp?id=688

Reverse WWW Shell Malicious code attacks via HTTP http://www.thc.org/papers/fw-backd.htm

Covert TCP http://www.securityfocus.net/tools/1475