bsdjunkie
March 9th, 2003, 11:24
Ok, I gave this quiz to a few people at work who want to learn more about IDS and intrusion analysis, and thought some of you may like to try it as well. Its a very basic one, but good to get your feet wet on.

Our IDS at work captured something like the following:

2003/03/16,15:58:36,OUT,IN,TCP/IP,10.1.6.1,172.16.3.5,20,31337, backdoor syn-flood 31337

Ive cut out a lot of the xtra crap the log generates but left the meat. Basically it can be read as the following.

date,time,external -> internal, tcp traffic, src ip, dest ip, src port, dest port, short description of signature.

So heres your quiz
Remember, google is your friend if your not used to doing this type of stuff...

What is the attacker attempting?
Whats the significance of port 31337?
Do you think this was the work of a script kiddie or a more serious cracker, and why?

Bonus questions:
What can you tell me about the src port being 20?
Was the attacker actually malicious or was he a victim as well? Why?


Have fun !! 8)

elmore
March 9th, 2003, 14:04
AFAIK that's where Back Orifice lives. Checking to see if you had it.

elmore
March 9th, 2003, 14:06
Nothing but script kiddies really 31337 spells out "eleet" what a crock!

elmore
March 9th, 2003, 14:09
You ever look at any analysis tools like demarc? Can you recommend any other than Acid that are free frontends to snort. Demarc went commercial. Refer to my Snort how-to for more info.

http://screamingelectron.org/phpBB2/viewtopic.php?t=129

v902
March 9th, 2003, 15:18
script kiddie, 31337 is a port for the trojan Back Orfice, port 20? No idea :). I think it may be SNMP that the attacking box may have been comprimised. If it was a syn/ack flood I would guess that it may have been a Dr-DoS with your IP spoofed and syn flooded that box, but what do I know, I spend most of my time in school not security :)

soup4you2
March 9th, 2003, 15:32
You ever look at any analysis tools like demarc? Can you recommend any other than Acid that are free frontends to snort. Demarc went commercial. Refer to my Snort how-to for more info.

http://screamingelectron.org/phpBB2/viewtopic.php?t=129

seems great minds think alike,... only i wrote one up awhile ago for fbsd

http://www.bsdhound.com/modules.php?name=News&file=print&sid=56

Kernel_Killer
March 9th, 2003, 16:57
Mmmmmmmmm.....Back Orfice. Home of that fun portage FakeBO. Why did they make the port 31337 (eleet)?

bsdjunkie
March 9th, 2003, 16:59
Well, everyone has guess the back orifice and 31337 stuff right, but the fun comes in figureing out the bonus questions :wink:

v902
March 9th, 2003, 21:54
OK I got 20 was FTP so I'm guessing the box may be comprimised? Since it's not a syn/ack flood they are syn flooding and are therefore victims as well (I am guessing because of the ftp thing), or what I am getting wrong?

schotty
March 9th, 2003, 22:27
is this a smurf attack?

bsdjunkie
March 9th, 2003, 22:45
Nope, not a smurf attack. The hint lies in the src port..... google is your friend 8)

schotty
March 9th, 2003, 23:01
actually yeah, I do need a slap for thinking stupid out loud. but port 20 -- thats active ftp right?

v902
March 9th, 2003, 23:04
port 20 is from a ports file that i have:

"ftp-data 20/tcp File Transfer [Default Data]"

WTF does that tell em? :D

Kernel_Killer
March 10th, 2003, 03:11
Hehe. Total CCNA question.

Using BO to get in, and then useing FTP to transfer stuff out, considering your SYN/ACK for FTP would be on their side for port 21. The outbound IP is actually a loopback2 interface to send back to the host that called the action. So in otherwords, you yourself were trying to enumerate your own companies system for security reasons, and try to send stuff out?

I could be very wrong. Most likely. :P

bsdjunkie
March 10th, 2003, 10:53
I could be very wrong. Most likely. icon_razz.gif

Well, you got that part right :P

check out this link for what type of attack this was.

http://www.insecure.org/nmap/hobbit.ftpbounce.txt

And heres the relavent paragraph:

Connections launched this way come from source port 20, which some sites allow through their firewalls in an effort to deal with the "ftp-data" problem. For some purposes, this can be the next best thing to source-routed attacks, and is likely to succeed where source routing fails against packet filters. And it's all made possible by the way the FTP protocol spec was written, allowing control connections to come from anywhere and data connections to go anywhere.


BTW, nmap has an option to do this built in. The attacker most likely used it to bounce off vulnerable ftp server and scan for port 31337 on our box.

Kernel_Killer
March 10th, 2003, 21:40
Wow! Nice! Gotta pring that one off! :D

v902
March 11th, 2003, 00:20
do another one, this is kinda entertaining (listening to Kernel that is :P) :D

Kernel_Killer
March 11th, 2003, 10:03
I 2nd that. More more!

bsdjunkie
March 11th, 2003, 10:55
Ok, ill dig into some logs and try to find another interesting one :roll:

bsdjunkie
March 11th, 2003, 11:02
Ok, it doesnt get any easier than this one... But hopefully it will keep you happy until I find another interesting one....

2003/03/10,19:40:57,OUT,IN,TCP/IP,62.174.120.43,x.x.x.x,80,0.0.0.0,.ida?<200+ chars>,4E4E4........

v902
March 11th, 2003, 20:42
buffer overflow?

Kernel_Killer
March 11th, 2003, 21:56
DDoS?

bsdjunkie
March 12th, 2003, 11:09
Hints, search google on the ".ida" This is a new variant of an old attack thats been in the news recently.

jedaffra
March 12th, 2003, 12:53
ahh... a code red worm variant?

bsdjunkie
March 12th, 2003, 13:10
Yup, Code red .F

By John Leyden, The Register Mar 12 2003 6:28AM
Eighteen months after Code Red wormed its way through insecure Microsoft IIS Web Servers, yet another variant has found its way onto the Internet. CodeRed-F most closely resembles Code Red II, differing by only two bytes. This change means CodeRed-F is liable to spread indefinetly unlike CodeRed II, which was programmed to stop spreading at the end of 2002. An advisory by Finnish AV specialist F-Secure explains this point in more detail. The original CodeRed had a payload that causes a Denial of Service attack on the White House Web server. CodeRed-F (like CodeRed II) has a different payload that allows the hacker to have full remote access to the Web server. All the CodeRed worms use a "buffer overflow" exploit to propagate through vulnerable Microsoft IIS Web servers. Admins running IIS are strongly urged to apply a cummulative patch to guard against this, and other similar risks. AV vendors rate CodeRed-F as only a moderate to low-risk worm, largely because the number of vulnerable IIS Web Servers is much reduced since the original outbreak of CodeRed and Nimda (which also spread using the same exploit).

:roll:

Kernel_Killer
March 12th, 2003, 23:32
Damn. Only half right. :?

Keep em' coming if you're willing to. :D

bsdjunkie
March 12th, 2003, 23:39
Ok, tomorrow at work ill grab another one...

8)

bsdjunkie
March 13th, 2003, 12:37
Ok, heres another fairly recent attack thats been seen recently and made headline...

2003/03/13,01:21:17,OUT,IN,TCP/IP,140.211.115.212,x.x.x.x,3081,1434,0.0.0.0,


:roll:

KrUsTy!
March 13th, 2003, 13:04
This looks to me like the sql slammer silliness of a couple weeks ago...

{K}

bsdjunkie
March 13th, 2003, 13:45
Heh, thought that one was too easy. Ill get a hard one 8)

jedaffra
March 13th, 2003, 13:47
yeah, keep em comin junkE... :wink:

bsdjunkie
March 13th, 2003, 16:47
OK, this one wont be as easy :shock:

2003/03/13,08:20:40,IN,OUT,TCP/IP,x.x.x.x,y.y.y.y,53,47262,back door UDP-port 47262

:roll:

KrUsTy!
March 13th, 2003, 17:01
I believe that's some Delta Source trojan activity.

{K}

bsdjunkie
March 13th, 2003, 17:49
Couple things to note: Notice the direction of traffic, and ports.... :wink:

Kernel_Killer
March 14th, 2003, 00:45
Well, it's definatly leaving as the Delta Source. As to what is coming in on DNS who knows. ADM, Li0n, a root zone hacker?

bsdjunkie
March 14th, 2003, 11:37
Remeber how to read these signatures:

date,time,flow of traffic, type of traffic, src ip, dest ip, src port, dest port, short description of signature.

This came from our internal net heading out. You are right that Delta does listen on that high number port, but its not the case this time...

jedaffra
March 14th, 2003, 16:07
Does it have anything to do with something called "Microsoft DirectPlay Server" ?

bsdjunkie
March 14th, 2003, 17:29
nope

bsdjunkie
March 16th, 2003, 00:09
Ok, i told you this was a harder one =)

2003/03/13,08:20:40,IN,OUT,TCP/IP,x.x.x.x,y.y.y.y,53,47262,back door UDP-port 47262


this shows traffic coming from port 53 (DNS) on internal box, outgoing to y.y.y.y port 47262 which is a known trojan horse port for the Delta trojan.

In this case, its a false positive. (get used to these, IDS's are far from perfect yet) It turns out that Microsoft DNS servers will talk to hosts on random high number ports, and in this case, it happened to match the trojan port signature.

Kernel_Killer
March 16th, 2003, 19:34
Whoa! That's good info!

jedaffra
March 17th, 2003, 15:29
the one's you struggle with can be great to learn from... how about another?

bsdjunkie
March 17th, 2003, 15:36
Another tough one, but easier than the last. =)

2003/03/17,13:14:02,IN,OUT,TCP/IP,x.x.x.x,216.73.86.150,26341,80,%2F / %2f

jedaffra
March 17th, 2003, 16:02
Ok,

the ip resolves to the alias "ad.us.doubleclick.net" which is a company involved in e-mail marketing, online advertising and other such business.

not sure why/how port 26341 is involved on the inside but port 80 is where the traffic ends up.

the time of day is 1:14 pm. Could this be someone partaking in some e-mail marketing survey on their lunch break, hosted by a doubleclick.net web server? or maybe adware/spyware of sometype?

then there's that "%2F / %2f".... ?

Anyways, best I could do.

schotty
March 18th, 2003, 05:13
Another tough one, but easier than the last. =)

2003/03/17,13:14:02,IN,OUT,TCP/IP,x.x.x.x,216.73.86.150,26341,80,%2F / %2f

Some rat bastard is trying that directory traversal bullshit.

bsdjunkie
March 18th, 2003, 17:05
2003/03/17,13:14:02,IN,OUT,TCP/IP,x.x.x.x,216.73.86.150,26341,80,%2F / %2f

Ok, you guys both get half credit. =) The %2f is a directory traversal trick and maps the the "/" key. And the address in question is a doubleclick server.

This again turns out to be a false positive. Whenever an internal user visits a site that talks with the doubleclick server in question, it sends the annoying pop-up and triggures the signature. It appears that doubleclick actually uses %2f instead of "/" since I see this come up quite a bit.

jedaffra
March 19th, 2003, 11:37
Ok, you guys both get half credit. =) The %2f is a directory traversal trick and maps the the "/" key. And the address in question is a doubleclick server.

Cool :)

This again turns out to be a false positive. Whenever an internal user visits a site that talks with the doubleclick server in question, it sends the annoying pop-up and triggures the signature.

When you say signature - you mean the %2f (?)
If yes, then, for what purpose? On what machine is a directory being traversed? This part I don't understand :?

jedaffra
April 4th, 2003, 09:14
Way to go jedaffra... like the way you clear out a discussion :(

somebody tell me, were my questions THAT bad?

bsdjunkie
April 4th, 2003, 16:46
A signature is a ruleset that the IDS uses. In this case its looking for packets with the %2F inplace of a "/" in a url

Heres a fairly good text ive found to help explain what this could mean:

The software can be duped into serving a restricted file. This is done if an attacker issues a directory traversal request with the hexadecimal representation for the front slash character (%2F). For example, if the URL
http://target.server/%2f..%2f..%2f../winnt/repair/sam were sent to a
target server, the SAM table would be retrieved.

jedaffra
April 6th, 2003, 14:12
Thanks for the answers dude :wink: