Ok, I gave this quiz to a few people at work who want to learn more about IDS and intrusion analysis, and thought some of you may like to try it as well. Its a very basic one, but good to get your feet wet on.

Our IDS at work captured something like the following:

2003/03/16,15:58:36,OUT,IN,TCP/IP,10.1.6.1,172.16.3.5,20,31337, backdoor syn-flood 31337

Ive cut out a lot of the xtra crap the log generates but left the meat. Basically it can be read as the following.

date,time,external -> internal, tcp traffic, src ip, dest ip, src port, dest port, short description of signature.

So heres your quiz
Remember, google is your friend if your not used to doing this type of stuff...

What is the attacker attempting?
Whats the significance of port 31337?
Do you think this was the work of a script kiddie or a more serious cracker, and why?

Bonus questions:
What can you tell me about the src port being 20?
Was the attacker actually malicious or was he a victim as well? Why?


Have fun !! 8)

AFAIK that's where Back Orifice lives. Checking to see if you had it.

Nothing but script kiddies really 31337 spells out "eleet" what a crock!

You ever look at any analysis tools like demarc? Can you recommend any other than Acid that are free frontends to snort. Demarc went commercial. Refer to my Snort how-to for more info.

http://screamingelectron.org/phpBB2/viewtopic.php?t=129

script kiddie, 31337 is a port for the trojan Back Orfice, port 20? No idea :). I think it may be SNMP that the attacking box may have been comprimised. If it was a syn/ack flood I would guess that it may have been a Dr-DoS with your IP spoofed and syn flooded that box, but what do I know, I spend most of my time in school not security :)

You ever look at any analysis tools like demarc? Can you recommend any other than Acid that are free frontends to snort. Demarc went commercial. Refer to my Snort how-to for more info.

http://screamingelectron.org/phpBB2/viewtopic.php?t=129

seems great minds think alike,... only i wrote one up awhile ago for fbsd

http://www.bsdhound.com/modules.php?name=News&file=print&sid=56

Mmmmmmmmm.....Back Orfice. Home of that fun portage FakeBO. Why did they make the port 31337 (eleet)?

Well, everyone has guess the back orifice and 31337 stuff right, but the fun comes in figureing out the bonus questions :wink:

OK I got 20 was FTP so I'm guessing the box may be comprimised? Since it's not a syn/ack flood they are syn flooding and are therefore victims as well (I am guessing because of the ftp thing), or what I am getting wrong?

is this a smurf attack?

Nope, not a smurf attack. The hint lies in the src port..... google is your friend 8)

actually yeah, I do need a slap for thinking stupid out loud. but port 20 -- thats active ftp right?

port 20 is from a ports file that i have:

"ftp-data 20/tcp File Transfer [Default Data]"

WTF does that tell em? :D

Hehe. Total CCNA question.

Using BO to get in, and then useing FTP to transfer stuff out, considering your SYN/ACK for FTP would be on their side for port 21. The outbound IP is actually a loopback2 interface to send back to the host that called the action. So in otherwords, you yourself were trying to enumerate your own companies system for security reasons, and try to send stuff out?

I could be very wrong. Most likely. :P

I could be very wrong. Most likely. icon_razz.gif

Well, you got that part right :P

check out this link for what type of attack this was.

http://www.insecure.org/nmap/hobbit.ftpbounce.txt

And heres the relavent paragraph:

Connections launched this way come from source port 20, which some sites allow through their firewalls in an effort to deal with the "ftp-data" problem. For some purposes, this can be the next best thing to source-routed attacks, and is likely to succeed where source routing fails against packet filters. And it's all made possible by the way the FTP protocol spec was written, allowing control connections to come from anywhere and data connections to go anywhere.


BTW, nmap has an option to do this built in. The attacker most likely used it to bounce off vulnerable ftp server and scan for port 31337 on our box.

Wow! Nice! Gotta pring that one off! :D

do another one, this is kinda entertaining (listening to Kernel that is :P) :D

I 2nd that. More more!

Ok, ill dig into some logs and try to find another interesting one :roll:

Ok, it doesnt get any easier than this one... But hopefully it will keep you happy until I find another interesting one....

2003/03/10,19:40:57,OUT,IN,TCP/IP,62.174.120.43,x.x.x.x,80,0.0.0.0,.ida?<200+ chars>,4E4E4........

buffer overflow?

DDoS?

Hints, search google on the ".ida" This is a new variant of an old attack thats been in the news recently.

ahh... a code red worm variant?

Yup, Code red .F

By John Leyden, The Register Mar 12 2003 6:28AM
Eighteen months after Code Red wormed its way through insecure Microsoft IIS Web Servers, yet another variant has found its way onto the Internet. CodeRed-F most closely resembles Code Red II, differing by only two bytes. This change means CodeRed-F is liable to spread indefinetly unlike CodeRed II, which was programmed to stop spreading at the end of 2002. An advisory by Finnish AV specialist F-Secure explains this point in more detail. The original CodeRed had a payload that causes a Denial of Service attack on the White House Web server. CodeRed-F (like CodeRed II) has a different payload that allows the hacker to have full remote access to the Web server. All the CodeRed worms use a "buffer overflow" exploit to propagate through vulnerable Microsoft IIS Web servers. Admins running IIS are strongly urged to apply a cummulative patch to guard against this, and other similar risks. AV vendors rate CodeRed-F as only a moderate to low-risk worm, largely because the number of vulnerable IIS Web Servers is much reduced since the original outbreak of CodeRed and Nimda (which also spread using the same exploit).

:roll:

Damn. Only half right. :?

Keep em' coming if you're willing to. :D

Ok, tomorrow at work ill grab another one...

8)

Ok, heres another fairly recent attack thats been seen recently and made headline...

2003/03/13,01:21:17,OUT,IN,TCP/IP,140.211.115.212,x.x.x.x,3081,1434,0.0.0.0,


:roll:

This looks to me like the sql slammer silliness of a couple weeks ago...

{K}

Heh, thought that one was too easy. Ill get a hard one 8)

yeah, keep em comin junkE... :wink:

OK, this one wont be as easy :shock:

2003/03/13,08:20:40,IN,OUT,TCP/IP,x.x.x.x,y.y.y.y,53,47262,back door UDP-port 47262

:roll:

I believe that's some Delta Source trojan activity.

{K}

Couple things to note: Notice the direction of traffic, and ports.... :wink:

Well, it's definatly leaving as the Delta Source. As to what is coming in on DNS who knows. ADM, Li0n, a root zone hacker?

Remeber how to read these signatures:

date,time,flow of traffic, type of traffic, src ip, dest ip, src port, dest port, short description of signature.

This came from our internal net heading out. You are right that Delta does listen on that high number port, but its not the case this time...

Does it have anything to do with something called "Microsoft DirectPlay Server" ?

nope

Ok, i told you this was a harder one =)

2003/03/13,08:20:40,IN,OUT,TCP/IP,x.x.x.x,y.y.y.y,53,47262,back door UDP-port 47262


this shows traffic coming from port 53 (DNS) on internal box, outgoing to y.y.y.y port 47262 which is a known trojan horse port for the Delta trojan.

In this case, its a false positive. (get used to these, IDS's are far from perfect yet) It turns out that Microsoft DNS servers will talk to hosts on random high number ports, and in this case, it happened to match the trojan port signature.

Whoa! That's good info!

the one's you struggle with can be great to learn from... how about another?

Another tough one, but easier than the last. =)

2003/03/17,13:14:02,IN,OUT,TCP/IP,x.x.x.x,216.73.86.150,26341,80,%2F / %2f

Ok,

the ip resolves to the alias "ad.us.doubleclick.net" which is a company involved in e-mail marketing, online advertising and other such business.

not sure why/how port 26341 is involved on the inside but port 80 is where the traffic ends up.

the time of day is 1:14 pm. Could this be someone partaking in some e-mail marketing survey on their lunch break, hosted by a doubleclick.net web server? or maybe adware/spyware of sometype?

then there's that "%2F / %2f".... ?

Anyways, best I could do.

Another tough one, but easier than the last. =)

2003/03/17,13:14:02,IN,OUT,TCP/IP,x.x.x.x,216.73.86.150,26341,80,%2F / %2f

Some rat bastard is trying that directory traversal bullshit.

2003/03/17,13:14:02,IN,OUT,TCP/IP,x.x.x.x,216.73.86.150,26341,80,%2F / %2f

Ok, you guys both get half credit. =) The %2f is a directory traversal trick and maps the the "/" key. And the address in question is a doubleclick server.

This again turns out to be a false positive. Whenever an internal user visits a site that talks with the doubleclick server in question, it sends the annoying pop-up and triggures the signature. It appears that doubleclick actually uses %2f instead of "/" since I see this come up quite a bit.

Ok, you guys both get half credit. =) The %2f is a directory traversal trick and maps the the "/" key. And the address in question is a doubleclick server.

Cool :)

This again turns out to be a false positive. Whenever an internal user visits a site that talks with the doubleclick server in question, it sends the annoying pop-up and triggures the signature.

When you say signature - you mean the %2f (?)
If yes, then, for what purpose? On what machine is a directory being traversed? This part I don't understand :?

Way to go jedaffra... like the way you clear out a discussion :(

somebody tell me, were my questions THAT bad?

A signature is a ruleset that the IDS uses. In this case its looking for packets with the %2F inplace of a "/" in a url

Heres a fairly good text ive found to help explain what this could mean:

The software can be duped into serving a restricted file. This is done if an attacker issues a directory traversal request with the hexadecimal representation for the front slash character (%2F). For example, if the URL
http://target.server/%2f..%2f..%2f../winnt/repair/sam were sent to a
target server, the SAM table would be retrieved.

Thanks for the answers dude :wink: